smilzo/opnsense-vpn.cfg

## opnsense-vpn.cfg
// This configuration is not mine but found on a german forum, and modified for my needs. I'm sharing because all info are in german
// Comment about a more secure VPN cfg are welcome, this is mere cut and past because testing is slow
//
// On the OPNSense side, configure the IPSEC tunnel in this way
// Tunnel Setting:
//
// - Connection method: I've put "Respond only" because the OPNSense is installed on stable server
// - Key Exchange version: V1
// - Internet Protocol: IPv4
// - Interface: WAN
// - Remote gateway: XXXXX.myfritz.net - The MyFritz! hostname of the router
// - Dynamic gateway: Yes - I've the Fritzbox on a dynamic IP Address
// - Authentication method: "Mutual PSK"
// - Negotiation mode: Main - I don't like VPN in aggressive mode, and it works with this cfg without
// - My identifier: Distinguished Name : FQDN of OPNSense
// - Peer identifier: Distinguished Name : XXXXX.myfritz.net - The MyFritz! hostname of the router
//
// Phase 1 proposal (Algorithms)
// - Encryption algorithm: AES256
// - Hash algorithm: SHA1
// - DH key group: 1, 2, 5, 14, 15, 16, 17, 18
//
// Phase 2:
// - Mode: Tunnel IPv4
// Local Network
// - Type: LAN subnet
// Remote Network
// - Type: Network
// - Address a.a.a.0 / 24 - The CIDR Address of the FritzBox LAN
//
// Phase 2 proposal (SA/Key Exchange)
// - Protocol: ESP
// - Encryption algorithms: AES (Auto)
// - Hash algorithms: SHA1
// - PFS key group: 2
//
// Then you can save the text below on a computer and import on FritBox as VPN Configuration
//
// DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE

vpncfg {
connections {
  enabled = yes;
  conn_type = conntype_lan;
  name = "Description of the VPN"; // Name of the VPN
  always_renew = yes; // Restate the connection
  reject_not_encrypted = no;
  dont_filter_netbios = yes;
  localip = 0.0.0.0;
  local_virtualip = 0.0.0.0;
  remoteip = 0.0.0.0; // Insert the static public IP of the OPNSense  or 0.0.0.0 or
  remotehostname = "hostname.domain.org"; // else insert the FQDN
  remote_virtualip = 0.0.0.0;
  localid {
    fqdn = "XXXX.myfritz.net"; // myfritz of the fritzbox
    }
  remoteid {
   fqdn = "hostname.domain.org"; // FQDN of the OPNSense
    }
  mode = phase1_mode_idp;
  phase1ss = "all/all/all";
  keytype = connkeytype_pre_shared;
  key = "sharedKey"; // VPN Shared key
  cert_do_server_auth = no;
  use_nat_t = no;
  use_xauth = no;
  use_cfgmode = no;
  phase2localid {
    ipnet {
      ipaddr = a.a.a.0; // LAN IP Class of Fritzbox
      mask = 255.255.255.0; // Netmask of Fritzbox LAN
      }
    }
  phase2remoteid {
    ipnet {
      ipaddr = b.b.b.0; // LAN IP of the OPNSense
      mask = 255.255.255.0; // Netmask of OPNSense LAN
      }
    }
  phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs"; // Enable all Phase 2 algorithm
  accesslist = "permit ip any b.b.b.0 255.255.255.0"; // Permit all from the subnet on the OPNSense net
  }
  ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                      "udp 0.0.0.0:4500 0.0.0.0:4500";
}
	// This configuration is not mine but found on a german forum, and modified for my needs. I'm sharing because all info are in german
	// Comment about a more secure VPN cfg are welcome, this is mere cut and past because testing is slow
	//
	// On the OPNSense side, configure the IPSEC tunnel in this way
	// Tunnel Setting:
	//
	// - Connection method: I've put "Respond only" because the OPNSense is installed on stable server
	// - Key Exchange version: V1
	// - Internet Protocol: IPv4
	// - Interface: WAN
	// - Remote gateway: XXXXX.myfritz.net - The MyFritz! hostname of the router
	// - Dynamic gateway: Yes - I've the Fritzbox on a dynamic IP Address
	// - Authentication method: "Mutual PSK"
	// - Negotiation mode: Main - I don't like VPN in aggressive mode, and it works with this cfg without
	// - My identifier: Distinguished Name : FQDN of OPNSense
	// - Peer identifier: Distinguished Name : XXXXX.myfritz.net - The MyFritz! hostname of the router
	//
	// Phase 1 proposal (Algorithms)
	// - Encryption algorithm: AES256
	// - Hash algorithm: SHA1
	// - DH key group: 1, 2, 5, 14, 15, 16, 17, 18
	//
	// Phase 2:
	// - Mode: Tunnel IPv4
	// Local Network
	// - Type: LAN subnet
	// Remote Network
	// - Type: Network
	// - Address a.a.a.0 / 24 - The CIDR Address of the FritzBox LAN
	//
	// Phase 2 proposal (SA/Key Exchange)
	// - Protocol: ESP
	// - Encryption algorithms: AES (Auto)
	// - Hash algorithms: SHA1
	// - PFS key group: 2
	//
	// Then you can save the text below on a computer and import on FritBox as VPN Configuration
	//
	// DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE - DELETE ABOVE

	vpncfg {
	connections {
	enabled = yes;
	conn_type = conntype_lan;
	name = "Description of the VPN"; // Name of the VPN
	always_renew = yes; // Restate the connection
	reject_not_encrypted = no;
	dont_filter_netbios = yes;
	localip = 0.0.0.0;
	local_virtualip = 0.0.0.0;
	remoteip = 0.0.0.0; // Insert the static public IP of the OPNSense or 0.0.0.0 or
	remotehostname = "hostname.domain.org"; // else insert the FQDN
	remote_virtualip = 0.0.0.0;
	localid {
	fqdn = "XXXX.myfritz.net"; // myfritz of the fritzbox
	}
	remoteid {
	fqdn = "hostname.domain.org"; // FQDN of the OPNSense
	}
	mode = phase1_mode_idp;
	phase1ss = "all/all/all";
	keytype = connkeytype_pre_shared;
	key = "sharedKey"; // VPN Shared key
	cert_do_server_auth = no;
	use_nat_t = no;
	use_xauth = no;
	use_cfgmode = no;
	phase2localid {
	ipnet {
	ipaddr = a.a.a.0; // LAN IP Class of Fritzbox
	mask = 255.255.255.0; // Netmask of Fritzbox LAN
	}
	}
	phase2remoteid {
	ipnet {
	ipaddr = b.b.b.0; // LAN IP of the OPNSense
	mask = 255.255.255.0; // Netmask of OPNSense LAN
	}
	}
	phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs"; // Enable all Phase 2 algorithm
	accesslist = "permit ip any b.b.b.0 255.255.255.0"; // Permit all from the subnet on the OPNSense net
	}
	ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
	"udp 0.0.0.0:4500 0.0.0.0:4500";
	}