Setting up IPsec VTI to a VPN service provider. Local Network / Remote Network are unknown

gertty · May 9, 2020, 6:30 PM

The overall concept is that I want pfSense to be a VPN "client" in that it connects to a VPN service provider for outbound traffic, then I use policy routing to decide which traffic gets put over the WAN vs the VPN connection.

I have had this working with a OpenVPN TUN mode for several years, both with server I control (so I control both ends) and with a VPN service provider (where I'm just a client).

I am pretty new to IPsec, but would like to try it. From what I have read so far, I think the VTI mode is what I want. I'm very used to policy routing with the OpenVPN tunnel so this would be the right fit.

Where I am stuck is in the P2 VTI settings for Local Network Address and Remote Network Address. These are assigned by my VPN service provider and not static. In other IPSec "clients" like a mobile phone or laptops, there either isn't an option for setting ends the tunnel interface IPs, or there is an option for "ask for an IP" from the other side. Does pfSense support something like this?

gertty · May 9, 2020, 7:18 PM

I came across some posts on the r/PFSENSE sub-reddit and it looks like maybe pfSense doesn't support being a "client" and doing EAP username auth? I agree that the OpenVPN client on pfSense is a much more natural fit for this situation, but was hoping to lower that CPU overhead.

jimp · May 11, 2020, 7:38 PM

pfSense doesn't support that role currently for a couple reasons:

It does not support acting as an EAP client (Or any remote access style IPsec client)
It does not support accepting parameters pushed by the IPsec server (e.g. dynamic addressing, DNS, etc)

And a few other related reasons but they boil down to the two above.