IPsec VPN for non-technical Windows users
-
The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).
Yeah, I just wasted a day with configuring that thing… It works. Between exactly defined sites A and B. Explicitely said in the contract that there is absolutely no guarantee it's gonna work elsewhere, not that it will work once they've reconfigured their routers, DNS, CAs or anything else in any way.
-
The Shrew Soft client is even more difficult to work with than OpenVPN in most ways. With OpenVPN you can export a client configuration right from pfSense and be running in a couple minutes. With Shrew Soft it's all manual config (you can save it and import it to other clients later, but still a lot of manual work).
Yeah, I just wasted a day with configuring that thing… It works. Between exactly defined sites A and B. Explicitely said in the contract that there is absolutely no guarantee it's gonna work elsewhere, not that it will work once they've reconfigured their routers, DNS, CAs or anything else in any way.
Using Shrew Soft is better these days now that we do support pushing settings to IPsec using mod cfg. It's not quite that dire in most cases now. It used to be absolutely horrible to use (not Shrew Soft's fault at the time, but our lack of auto support). Now with the right settings on both ends it's tolerable, but still quite a ways behind OpenVPN in practically every way.
-
There are only two good reasons to run the VPNs built into Microsoft vs. Openvpn.
1. So much legacy infrastructure and legacy clients thats all you can support reliable/universally. Not often the case.
2. The Admin is a moron. Happens alot.To play devil's advocate wrt "native" MS VPN, what about using GPO to provision VPN client settings ?
-
Already been said there's no support for L2TP/IPsec in pfSense. Nothing to push, will not work.
-
To summarize:
pfSense supports IPsec IKEv1 using the standard "ipsec-tools" package (also used by most Linux distros)
Windows prior to 7 wants L2TP/IPsec, not plain IPsec IKEv1. That does not work with pfSense.
Windows 7 and later actually has native IPsec but uses IKEv2 (not IKEv1). Which again does not work with pfSense.PPTP is considered deprecated, but anyway pf lacks a PPTP-proxy.
-
GPO wouldn't make anything rolled into microsoft more reliable (or even as reliable) than openvpn. Just easier.
-
Okay, that all seemed easy enough to get set up - my client is connected. Am I correct in thinking that the rule created by the OpenVPN wizard (looks like a * * * * * * allow-all rule) should mean that anyone connecting via the VPN has access to everything?
-
Yes that's correct. You can tighten that up as needed of course.
-
Brilliant. I can't actually ping or reach anything at the moment, but I've not read any of the docs yet, so I'll go and check up on some of the OpenVPN-related stuff.
Thanks, all.
M
-
The client needs to run as Administrator (unless you're using the openvpnmanager gui running it as a service) or it can't add routes.
To make sure you're actually pushing routes to the client, ensure you have the "local network" box filled in, or that you have the option set to redirect the client gateway so that all traffic goes over the tunnel.
-
Hmmmm.
Which version of windows are you using?If its not windows XP, you need to right click the install file and "run as admin" otherwise you get connected but won't route you anywhere.
If you didn't install it as admin, easy fix is uninstall it, then reinstall (Run as admin this time).Occasionally you get an issue where you have to allow it in your firewall rules on a windows box, depending on the firewall.
