IPSec VPN from windows 7 client
-
Hey,
im doing this as part of a school project and could really use some help.
Is it possible to use an IPSec VPN tunnel from my windows 7 client to the LAN side of a pfsense firewall box and obtain an ip address of the LAN?
I have the WAN side configured with 192.168.2.254, and the LAN as 192.168.3.1. i have successfully VPN'd in using this guide, and many others like it.
http://dekapitein.vorkbaard.nl/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors
however, i can never get an ip address via dhcp or any other means that is on the same subnet as the other machines on my LAN, which is what i need.
let me know if i can answer any questions about my setup.
Cheers!
-
Try following this??
http://www.youtube.com/watch?v=odjviG-KDq8
Also can i suggest maybe using PPTP? I set that up the other day and it seems much easier and better! and clientless because the PPTP is built into Microsoft and MAC products.
http://www.youtube.com/watch?v=7ai1myWP8PY
-
-
Windows 7 wants L2TP+IPsec, not plain IPsec.
That does not work with pfSense.
-
Windows 7 wants L2TP+IPsec, not plain IPsec.
That does not work with pfSense.
okay, thank you. could you suggest a method that i could use to get windows vpn connectivity using a centos server. it needs to be a secure method. i have been searching for a while but havent managed to find anything suitable for me.
cheers!
-
Use openvpn.
-
-
Windows 7 wants L2TP+IPsec, not plain IPsec.
This is correct for previous Windows releases but Windows 7 actually has native ipsec only support but you have to use IKEv2. I am using this successfully with StrongSwan as a VPN-server and have done so almost since the release of Windows 7.
I set up racoon at first but the lacking IKEv2 support was a show stopper, and pfSense is based on racoon isn't it?
OpenVPN is however nice if you can accept the fact that you need a separate client application. The problem with OpenVPN is that it is running in user land and also single threaded as far as I know. It doesn't scale well at all. I did some performance testing between the two since I have both options configured on my (Linux based) firewall and OpenVPN used almost 20% of one Core 2 Duo E8400 core just to push 36 mbit/s with iperf (the limitation of the link in the other end), while ipsec used only 1-4% to do the same with AES256 and ipsec is also multithreaded to scale better in large setups.
This doesn't really matter if you use low speed links with just a couple of roadwarriors but it should be concidered if you are planning large deployments.
I also have a new server which have AES-NI support which should decrease the ipsec CPU usage even more but I haven't really been motivated to configure it to test.
-
Yep, under Linux one has the option of L2TP+IPsec by using openl2tp (http://www.openl2tp.org/) with racoon or StrongSWAN/OpenSWAN (note: the latter exhibit some bug which was fixed with a commit to the 3.2-rc5 linux kernel).
StrongSWAN offers IKEv2 and has been ported to FreeBSD, but with certain limitations, see http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD
Limitations
Due to the lack of policy based routes, virtual IPs can not be used (client-side).
The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.
