Configuring Policy-based VPN

In a policy-based VPN, an IPsec VPN tunnel is created between endpoints based on the policy action for the transit traffic.

To configure a policy-based VPN:

  1. In the OPNsense Administrator Portal, go to VPN > IPsec > Tunnel Settings.

  2. In the Phase 1 section, click the + icon to create the first tunnel.

  3. Enter the details of the Phase 1 tunnel settings in these fields:

    • In the General Information section:

      • Set Connection method as Start immediate.

      • Set Key Exchange version as V2.

      • Set Internet Protocol as IPv4.

      • Set Interface as WAN.

      • Enter the Remote gateway details.

      • Enter Description as Policy based VPN.

    • In the Phase 1 proposal (Authentication) section:

      • Set Authentication method as Mutual PSK.

      • Set My identifier as My IP address.

      • Set Peer identifier as Peer IP address.

      • Enter the Pre-Shared Key details.

    • In the Phase 1 proposal (Algorithms) section:

      • Set Encrpytion algorithm as AES followed by 256.

  4. Enter the Harmony Connect branch office configuration that you copied earlier from the Infinity Portal.

  5. After completion of the Phase 1, click Phase 2, and enter the details in these fields:

    • In the General Information section:

      • Set Mode as Tunnel IPv4.

      • Enter Description as Policy Base Local network harmony connect.

    • In the Local Network section:

      • Set Type as LAN subnet.

      • Set Address as blank followed by 32.

    • In the Remote Network section:

      • Set Type as Network.

      • Enter Address as 0.0.0.0 followed by 0.

    • In the Phase 2 proposal (SA/Key Exchange) section:

      • Set Protocol as ESP.

      • Enter Encryption algorithms as AES256.

      • Set Hash algorithms as SHA1.

      • Set PFS key group as 2(1024 bits).

      • Enter Lifetime as 86400 seconds.

    • In the Advanced Options section:

      • Enter Automatically ping host as 100.126.0.4.

  6. Select the Install policy checkbox.

  7. Click Save and Apply changes.

  8. Click Status Overview and click restart. Check the status of the tunnels.

  9. To confirm that the traffic is routed through Harmony Connect, ping 8.8.8.8 and trace the route for next hop which is 100.126.0.0 (Harmony Connect). Follow these steps on the local machine which is behind the OPNsense firewall/gateway:

    1. Click Start and type CMD.

    2. Open Command Prompt.

    3. Run: C:\Users\IEUser>ping 8.8.8.8