CloudConnexa: Connecting Resources using Pfsense to CloudConnexa via IPSec Protocol

Description: If you have an existing pfSense setup and want to connect your resources to CloudConnexa via IPSec, follow these step-by-step instructions.

Step 1: Configure the CloudConnexa network

1. Sign in to your CloudConnexa portal.
2. Click Networks > Networks.
3. Click Add Network.
4. Select Remote Access for the scenario and click Continue.
   
5. Enter your configuration details for the new network:
   • Network Name: Enter a unique name.
   • Connector Tunneling Protocol: Select IPSec.
   • Connector Name: Enter a unique name or leave the default value.
   • Region: Select the nearest region to your resources.
   • Click Next.
     
6. Configure Network Connector displays. Click the drop-down for Platform to Connect and choose Other.
   
7. Enter the pfSense device's IP address for the Remote Site Public IPv4 Address.
8. Set the Authentication Method to Shared Secret.
9. Under Pre-shared Key, you can enter an available pre-shared key or generate one in the pfSense configuration below.
10. Enter values for Connector Hostname and Connector Domain: These can be any unique values you choose. They don't need to be a public or real domain. For example:
    • Connector Hostname: 'pfsense01'
    • Connector Domain: 'nino-secured.local'
    • Resulting FQDN (parameter needed for pfSense): 'pfsense01.nino-secured.local'
11. Take note of the FQDN and the connector public IP address (under 2. Remote Tunnel Configuration).
12. You don't need to expand the Advanced Configuration as they can remain unchanged to configure IPsec tunneling by default.
13. Scroll down to 2. Remote Tunnel Configuration and use the parameters displayed there to configure IPsec tunnel on your pfSense device.
    

Step 2: Configure IPSec on pfSense

To establish the IPSec tunnel, follow these steps to configure pfSense with your CloudConnexa parameters.

1. Sign in to pfSense.
2. Click VPN > IPsec > Tunnels > Add P1:
   
   
3. Configure the parameters for Phase 1 based on the Phase 1 (Internet Key Exchange) values from your CloudConnexa connector:
   
   • General Information
     • Description: Enter a descriptive name (e.g., CloudConnexa IPsec Phase1).
     • Disabled: Leave unchecked.
     • IKE Endpoint Configuration
       • Key Exchange Version: IKEv2.
       • Internet Protocol: IPv4.
       • Interface: WAN.
       • Remote Gateway: CloudConnexa Peer Id.
         
     • Phase 1 Proposal (Authentication)
       • Authentication Method: Mutual PSK
       • My identifier: Connector Peer Id.
       • Peer Identifier: Peer IP address.
       • Pre-Shared Key: Paste your pre-shared key here or click to generate a new pre-shared key. If you create a PSK here, ensure you paste it into the PSK field for your CloudConnexa connector.
     • Phase 1 Proposal (Encryption Algorithm)
       • Encryption Algorithm: AES, 256 bits, SHA256, and 15 (3072-bit).
     • Expiration and Replacement
       • Life Time: 28800.
       • Leave the default values for the other parameters. 
         
     • Advanced Options
       • Child SA Start Action: Default.
       • Child SA Close Action: Default.
       • NAT Traversal: Auto.
       • MOBIKE: Disable.
         
       • Gateway duplicates: Unchecked.
       • Split connections: Unchecked.
       • PRF Selection: Unchecked.
       • Custom IKE/NAT-T Ports: Leave blank.
       • Dead Peer Detection: Enable.
       • Delay: 30.
       • Max failures: 5.
         
4. Click Add P2 for Phase 2 of IPsec.
   
5. Enter the configuration details for phase 2, using Phase 2 (IPSec) from the CloudConnexa connector:
   • General Information
     • Description: Enter a descriptive name (e.g., Cloud Connexa IPsec Phase2).
     • Disabled: Unchecked.
     • Mode: Tunnel IPv4.
     • Phase 1: Use the Phase 1 you created in the previous steps.
   • Networks
     • Local Network: LAN subnet.
     • NAT/BINAT Translation: None.
     • Remote Network: Network.
       
   • Phase 2 Proposal (SA/Key Exchange)
     • Protocol: ESP.
     • Encryption Algorithm: AES.
     • Hash Algorithm: SHA256.
     • PFS key group: 15 (3072-bit)
   • Expiration and Replacement
     • Life Time: 3600.
     • Leave other settings as they are.
       
   • Keep Alive
     • Leave this section as is.
       
6. Click Save, then Apply Changes.
   

Finish Network Configuration on CloudConnexa

1. Return to your Network Connector configuration on the CloudConnexa portal.
2. Verify that the pfSense parameters match CloudConnexa:
   
   

Connect pfSense to CloudConnexa

1. Navigate to Status > IPsec in pfSense.
2. Click Connect P1 and P2s to initiate the connection to CloudConnexa.
   
3. The connection shows as Established:
   

Step 4: Add routes in pfSense

To ensure proper traffic flow, add the necessary routes:

• WPC subnet route.
• Domain routing subnet route.

You must configure these routes within pfSense to properly route traffic through the IPSec tunnel.

Step 5: Test connectivity in CloudConnexa

1. After configuring the IPSec tunnel, return to the CloudConnexa connector configuration and click Test Connection.
2. Complete the connector configuration by adding applications, routes, IP services, and access groups if desired.
3. Once the connection is established and routes are set up, your pfSense firewall should now be securely connected to CloudConnexa via IPSec.

If you have further questions or encounter issues, submit a support ticket.