PfSense-IPcop VPN

ryanpatel

Has anyone been able to successfully create a pfSense to IPCop VPN?  My colleague and I have been trying for a few days to get an IPSec VPN established from a pfSense to IPcop as well as a pfSense to pfSense.  Any help, documentation, or advice would be greatly appreciated.

Ryan
Cowboyz R #1

hoba

You might want to watch one of the tutorials showing how to configure 2 pfsense systems (one with dynamic IP, one with static IP): http://pfsense.com/index.php?id=36
It shows some kind of special configuration but it might get you started (configuring tunnels from static IP to static IP are even easier to set up). I know that IPSEC between pfSense systems works great but I can't say anything about connections to IPCOP.

omarf

I managed to do that with Preshared Key.
I found a problem with NATTED Pfsense (THE PROBLEM IS ON IPCOP).
If your PfSense is behind a router with Red interface having a private address, you have to do the following on IpCop machine:

manually add to /var/ipcop/vpn/ipsec.conf 'rightid=RemotePrivateIp' (and/or 'leftid=LocalPrivateIp' if private)
and consequently change /var/ipcop/vpn/ipsec.secrets
and add a new line to /var/ipcop/vpn/config in order to see the connection detail/status on web page.
No way to do that trhu web interface (bear in mind that if you change again the configuration thru web interface your manual setting will be deleted). On Pfsense just tell to show the machine with IpAddress.

Hope this can help.
Omar

hoba

There is another solution to this problem that can be made on the pfSense side of the connection without hacking conf files (isn't a good webGui nicer to use?  ;) ) . Change the identifier of the pfSense from "my ip adress" to the public IP-Adress of the Router in front of pfSense which does the forwarding. This way the other end will not see the private IP but the public IP and the packets will find their way  ;D

Inca

Hello everyone, this is my first post here, so please be gentle  :)

I've been struggeling with pfsense <-> ipcop vpn, but I found the answer in the m0n0wall mailing lists:

Hi,

This can be done with the following settings:

Phase 1 proposal (Authentication)

Negotiation mode : Main
Encryption algorithm : 3DES
Hash algorithm : MD5
DH key group : 2

Phase 2 proposal (SA/Key Exchange)

Encryption algorithms : 3DES
Hash algorithms :  MD5
PFS key group : 2

I think the rest of the settings will speak for themself. sometimes you have
to ping to open the vpn link.

Richard Trip

Thanks to the original poster!

This has been working since pfsense version 0.53!!!

hoba

We are all gentle here  ;D
The original problem was IPSEC with one box behind a NAT and identifier trouble. We have different 2 solutions for that (one modifying a conf of IPCOP, one modifying the identifier of the pfSense). But thanks for posting the answer. I think we should start an IPSEC-compatibility thread where people can report ONLY CONFIRMED WORKING configurations and maybe with information how to get it going. Maybe you want to start it with some details? The posts to this thread should hold info about corresponding settings as some IPSEC implementations use different terms to name things.

ryanpatel

Inca,

Thanks!  I tried it exactly the way you stated and I was able to get the pfSense<–>IPcop VPN online.  I would get some screenshots and post them somewhere if someone would tell me where?

hoba

It would be appreciated if you record a tutorial for our tutorials section. It's nearly the same like shooting screenshots with wink but you add some descriptions on top of it instead placing them between the shots in the text. You find examples and info about wink at our tutorials section: http://pfsense.com/index.php?id=36