Anything similar to Juniper's st interface?
-
OpenVPN works that way, but IPsec currently does not.
What you're after is also known as "Routed IPsec" or "Route-based IPsec". It's something we'd like to see, but it doesn't exist yet.
-
Thanks. That's a deal-breaker in our environment. I'll keep watching in the future, though.
Anyway, to the extent I've experimented with pfsense (NAT, port forwarding, etc.) it seems polished, well done. Cudos to the developers.
-
For a VPN with dynamic routing, usually OpenVPN is used with OSPF or in some cases, IPsec in transport mode with a GIF/GRE type tunnel, which gets you closer to that style but not 100% there since it's not quite the same.
Several of us here are interested in seeing this work, but it will require a bit of work to implement (and not just in our code, but at the OS level)
-
Several of us here are interested in seeing this work, but it will require a bit of work to implement (and not just in our code, but at the OS level)
It's a shame the OS doesn't support it (yet) because Juniper's implementation is such a cakewalk. I would love to see pfsense worked into our Juniper network going forward. We can do with those Juniper routed IPSec tunnels pretty much anything we could do with an ordinary point-to-point link. So much so, that at times I (almost) forget I'm working with virtual connections.
It's also ironic, since JUNOS is based on FreeBSD.
-
For a VPN with dynamic routing, usually OpenVPN is used with OSPF or in some cases, IPsec in transport mode with a GIF/GRE type tunnel, which gets you closer to that style but not 100% there since it's not quite the same.
Several of us here are interested in seeing this work, but it will require a bit of work to implement (and not just in our code, but at the OS level)
It's been a year since this original discussion, and we're approaching the need to add a couple more locations. Before I ping our Juniper vendor for a quote, has Routed IPSec come any closer to reality in pfSense yet? My Google Fu isn't returning any search results for the positive, so I'm hoping the community can give a definitive answer.
Thanks in advance, as always.
-
Nope. No closer yet.
-
Bummer…. but thanks for the clarification.
-
Nope. No closer yet.
Has routed IPsec made it onto the future roadmap yet, or still too far over the horizon to see? I like to check once or twice a year.
I have to make another Juniper purchase fairly soon. While the up-front purchase price isn't terrible considering the quality, we have so many units in service now from all the location we've added, our annual spend for support renewals far exceeds what we spend on new equipment each year.
I'm staying cautiously optimistic that some day I'll be able to replace Juniper with pfSense, and keep some of that money in my budget for other useful things.
-
It was recently imported into FreeBSD head, should be in FreeBSD 12, so maybe pfSense 2.5 will have it if all goes well.
https://svnweb.freebsd.org/base?view=revision&revision=309115
-
Any updates on Routed IPsec support yet? This is the only thing I'm aware of that's holding us back from pfSense.
We use OSPF and IPSec tunnels throughout the company (many locations across the state) and without that support, we're stuck on our current Juniper SRX platform.
We're seeing roughly a 40% failure rate in our branch SRX units, and that is scaring us away from Juniper.
-
The support is there at the OS level in 2.4.x (see if_ipsec(4)) but we don't have any code to hook into it yet. No ETA though.
-
Thank you. I'm sad to hear it, because I definitely liked what I saw when I tested pfSense 2 years ago.
The lack of Routed IPsec is the only thing preventing us from making it a serious contender. For now, we'll have to keep shoveling money at Juniper– something I'm increasingly uneasy about, given their device failure rates of late.
-
The support is there at the OS level in 2.4.x (see if_ipsec(4)) but we don't have any code to hook into it yet. No ETA though.
Just coming over this compatibility issue between Juniper SRX and FreeBSD myself. I'll be using both FreeBSD and pfSense and Juniper SRX for sometime to come. With 2.4+ out, and if_ipsec(4) in there - would be great to see this ability exposed in pfSense, sooner than later.
-
Support for routed IPsec/VTI is in 2.4.4 snapshots. It's still being tested but it's fairly solid at the moment with no major caveats that I'm aware of.
https://redmine.pfsense.org/issues/8544
