Pfsense and Route-Based IPSec VPN

hphan082 · Jan 14, 2015, 2:49 AM

Hi everyone,
I just deployed pfsense for in our environment. I'm searching around and it doesn't look like pfsense is supporting Route-based VPN tunnel. Is that true? Do you know if it will be available anytime soon?

Thanks everyone!

cmb · Jan 14, 2015, 5:02 AM

That's true. It's not on the immediate roadmap. Either standard tunnel mode, or transport mode + GRE or gif, will suffice for any possible need there (outside of interoperating with a third party route-based IPsec VPN).

PayableOnDeath · Jan 14, 2015, 3:14 PM

+1 for Route-Based IPSec VPN.

Sadly transport mode + GRE isn't supported on all devices (Juniper SRX for example)

Found out about the lack of support for transport mode in the SRX when I tried to setup a VPN between 3 sites ( 2 of them used pfSense) and wanted dynamic routing between them so that if a tunnel dropped between 2 of them it would then reroute via the 3rd one.

Hugh · Jan 14, 2015, 11:36 PM

Hi PayableOnDeath,

the SRX was the reason I asked if it was possible to run a script or add a route when an IPSec tunnel came.

That was my idea for a workaround for the dynamic networking issue. Run BIRD on the pfSense box and use it to advertise the routes when the tunnel came up.

Hugh · Jan 16, 2015, 4:04 AM

Is it possible to have a route based VPN configured at one end and a policy based VPN configured at the other?

I have attempted to do this on a Juniper SRX and it appears to be working. I am wondering whether I am just deceiving myself.

eri-- · Jan 16, 2015, 9:04 PM

Route based VPN is basically GRE + IPsec so it will work with no problem.
Its more flexible on products that promote its support in which you control what gets sent to the tunnel by just routes instead of phase2.

Hugh · Jan 19, 2015, 9:52 AM

Is there any way that pfSense can have an IP address that can reply to the address on the tunnel interface? I would like to be able to run OSPF through the VPN tunnel.

cmb · Jan 21, 2015, 3:51 AM

@ermal:

Route based VPN is basically GRE + IPsec so it will work with no problem.

Route-based in the context of what OP is discussing isn't GRE+IPsec, there isn't a tunnel outside the usual IPsec tunnel mode's tunnel.

@Hugh:

Is there any way that pfSense can have an IP address that can reply to the address on the tunnel interface? I would like to be able to run OSPF through the VPN tunnel.

If you have an actual tunnel interface, like GRE or gif within the IPsec, yes, on the GRE or gif. Otherwise no, and it wouldn't accomplish what you're after with OSPF anyway since the routing table has no influence on tunnel-mode IPsec.

hphan082 · Mar 20, 2015, 7:12 PM

thanks everyone!
We use VPN tunnels to a lot of 3rd party devices, including ASA, Fortigate, Sonicwall, Palo Alto, etc. I can confirm that you don't need Route-based or Policy-based on both end, it's only matter locally.
well, for now, we can go with Policy-based, once there is a need, I'll look into these options again.