Vpn appliance

hoba

Which version of pfsense did you test with? Is it already a snapshot that includes IPSEC filtering? Also which m0n0 version did you use for testing?

covex

whatever is posted in download sections of their websites. cd version

hoba

Please test with the latest snapshot. It's based on a newer FreeBSD version: http://snapshots.pfsense.com/FreeBSD6/RELENG_1/

covex

it worked, thanks! now it is about the same speed that i have on my old open bsd box. how stable this snapshot? is it safe to put it in the production environment?

what about monowall will it be up to the task? i've read that it wont use more then 64mb of memory even under heavy load…

hoba

The m0n0wall 1.3 branch and the snapshots run on FreeBSD 6.2 and perform from my tests pretty similiar. The pfSense RELENG1 snapshots are only bugfixes of 1.0.1 plus some small usability additions and a few minor new features. They are considered pretty stable though we don't mark them as "stable" yet. See http://pfsense.blogspot.com/2007/01/102-beta-period-will-start-soon-5-9s.html

covex

thanks! i'll give pfsense a try…
one more question though.
i'm not familiar with bsd at all but i know that my old bsd box is setup the way that every time i add new remote location i don't have to do anything on the vpn server, just do settings on remote endpoint.
is it posible to recreate on pfsense or do i have to setup each tunnel separatly?

hoba

Not sure how this is done in your old config but you at least have to setup identifiers for the remote endpoints when using the mobile clients option.

covex

here is isakmpd.conf file. will it help?

XXXXXXXXX Firewall @ HQ

###  What will  actually connect
[Phase 1]
XXX.XXX.XXX.XXX =        Ics
Default=        Remote_store

[Phase 2]
Connections=            Hq-ics,Hq-remote

Define the gateways

[Ics]
Phase=                  1
Transport=              udp
Local-address=          XXX.XXX.XXX.XXX
Address=                XXX.XXX.XXX.XXX
Configuration=          Default-main-mode
Authentication=        xxxxxxxx

[Remote_store]
Phase=                  1
Transport=              udp
Local-address=          XXX.XXX.XXX.XXX
Configuration=          Default-main-mode
Authentication=        xxxxxxxx

Define the connection

[Hq-ics]
Phase=                  2
ISAKMP-peer=            Ics
Configuration=          Default-quick-mode
Local-ID=              Net-hq
Remote-ID=              Net-ics

[Hq-remote]
Phase=                  2
ISAKMP-peer=            Remote_store
Configuration=          Default-quick-mode
Local-ID=              Net-hq
Remote-ID=              Net-remote

Define the networks

[Net-ics]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.2.0
Netmask=                255.255.255.0

[Net-hq]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.1.0
Netmask=                255.255.255.0

[Net-remote]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.0.0
Netmask=                255.255.0.0

Golbal settings

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=            3DES-MD5

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                QM-ESP-3DES-MD5-SUITE

hoba

Do you use the same identifier for all tunnels? Not sure if this will work with the mobile client option but you can give it a try. See http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/ for how to set such a scenario up.

covex

am i using identifier??!!  :o ;D

covex

as far as i know this is the only config file i have for all my tunnels.
in pfsense it always asks for remote gateway ip, so i guess there is no way to set it up like i wanted  :(

hoba

Try the mobile IPSEC option like I told you before and have a look at the tutorial I posted. You will see that one end just waits for incoming connections without knowing from where the connections are coming from.

covex

hmmm… i tried this tutorial but when i did i must have been smoking a wrong pipe. i see now where i went wrong. i'll try it again tomorrow.