Your documentation and wiki are broken.



  • I tried to setup pfSense-to-pfSense IPSEC VPN. For almost a week I kept on re-configuring it, deleting, reinstalling, checking and re-checking. Everything i could think of, because "when you follow the 'official' instructions on a stock/default system 'it has to work', no?"

    Well turns out the instructions here are flawed: http://doc.pfsense.org/index.php/VPN_Capability_IPSec

    The VPN tunnel will not respond to firewall rules at the time of this writing, so you will not be able to limit which hosts can be accessed by users across the VPN connection. If a worm would get into the network you are connected to via VPN, it could easily spread to your network. If a system on the remote network is compromised by an attacker, he could easily hop over the VPN to attack your systems without any firewall protection.

    That is ENTIRELY WRONG! Not only do the IPSEC VPN respond to firewall rules, by default there is none. The only issue with my configuration was that there was no firewall rulle (under Firewall -> Rules -> IPSEC) to pass traffic. Setup the rule and bang it all works.

    I try to edit the wiki page to add the firewall rules information but there is no way to register on the page and my forum login does not work there.



  • Anyone? The documentation is still wrong. I will gladly update it if I can login to the wiki…



  • I agree, this is a major hurdle for people to stumble upon.


  • Rebel Alliance Developer Netgate

    I wasn't aware that documentation was so far out of date. I fixed that reference, and will need to go over it in finer detail soon.

    Thanks for the heads-up.



  • Yea, thanks for bringing it up! I know I ran into that but I think I forgot where I read that when I finally figured out I did need some rules.



  • Thanks jimp  ;D

    I think most people would jump to the firewall rules when things didn't work, but the docs were a bit misleading. Anyway, much appreciated to all you guys contributing to this awesome project!


  • Rebel Alliance Developer Netgate

    A little late, but better late than never:

    I rewrote the core of that IPSec document to be more in line with the current options and configuration. I hope it's a little easier to read now, too.

    It had a lot of references to material that was not in that document. I'm not sure if it was copied and pasted from somewhere else or if it was just left unfinished.

    It may still need a little more work, so suggestions are welcome.



  • @jimp:

    A little late, but better late than never:

    Yup!

    I read over it briefly. It looks good to me. It's been a while since I set it up from scratch and maybe some things have changed since 1.2.2 but everything seems to be there.

    Thanks for updating.


Log in to reply