Need some VPN advice

  • Hello,

    I run pfsense at home. I work from various sites, all of which utilise the Cisco 2600/3600 routers with VPN capability.

    I wish to make a VPN from work to home, but it seems I can't use IPSEC as pfsense won't support NAT-T and I am told (not sure if its correct) that IPSEC passthrough isn't possible on the Cisco routers we use (?)

    So, how would you recommend I make a VPN to my home, if i cannot use NAT-T or IPSEC Pass through? Is OpenVPN the solution I need or PPTP?



  • If you use a pfSense box at home, you should be able to connect it to the Cisco routers.

    You don't need to be concerned about IPSec passthrough on the Cisco because the Cisco would be your endpoint for the VPN. (I am assuming that you plan to use the Cisco VPN capability) Although I can't imagine that the necessary IPSec ports could not be opened on these routers if you weren't using them as your VPN.

    NAT-T should not be a concern either for the reason listed above unless the Cisco routers are using private IPs and are behind another router.

    Another option would be to use the ShrewSoft VPN client software to connect to your home. In that case, you would need to open some ports on the Ciscos. Specifically, UDP 500, UDP 4500 and the ESP Protocol (50). Do you administer the Cisco devices?

  • Thanks for your advice. I don't manage the Cisco's, we have a third party that does that for us, but i can get changes made very easily.

    I will take a look at shrewsoft - my main computer is a Mac - is there an equivalent on the Mac?

    What I have been trying to do is to connect the Cisco VPN client to the PFSense box, but I get the NAT-T error.


  • Before I changed anything else, I would make sure the ports that I listed above were open on the Cisco routers. Your Cisco VPN client should work, although I haven't used it with pfSense.

  • The Cisco VPN won't connect to pfSense ipsec, due to the current lack of xauth support.
    If you can't find an IPsec client, you could use PPTP or OpenVPN.

Log in to reply