Make setting up IPSec site to site VPN's easier
-
We have historically used SG routers for our clients but we're taking a look at PFSense, specifically 2.0 as it seems to have a more polished interface and shows us nice pretty graphs of where our data is going.
The SG (Now McAfee UTM Firewalls) have a really nice feature of having a "simple" site to site IPSec setup. Just complete this on both devices and you're done. I have attached a screenshot.
-
Easier? It is more than easy now. Look at some big StoneGates…..That is not easy ;-)
Edit: End with this lame setup you even cannot decide which settings you like. What kind of encryption? Hash? Lifetimes? Pretty insecure....
-
That method also does not let you have multiple phase 2 subnets, like the one on 2.0 does.
There is always a securty-vs-convenience tradeoff. Nothing (really) easy is (really) secure, or in this case, also flexible/configurable.
Though someone could write a simple IPsec wizard which would take basic settings such as this and setup the tunnel which can later be adjusted by hand.
-
Easier? It is more than easy now. Look at some big StoneGates…..That is not easy ;-)
Edit: End with this lame setup you even cannot decide which settings you like. What kind of encryption? Hash? Lifetimes? Pretty insecure....
You can do an advanced setup on the SG's and define all of that information. That's how I get my PFSense 2 boxes to communicate with them. I am not an IPSec dummy, but for the life of me I cannot get 2 PFsense 2 boxes to establish site to site IPSec vpn tunnels for some reason. both have static IP's and still no luck.
-
That method also does not let you have multiple phase 2 subnets, like the one on 2.0 does.
There is always a securty-vs-convenience tradeoff. Nothing (really) easy is (really) secure, or in this case, also flexible/configurable.
Though someone could write a simple IPsec wizard which would take basic settings such as this and setup the tunnel which can later be adjusted by hand.
I think a wizard might be a good idea. There are SO many options available that streamlining the process might work.
-
Nowadays IPSec is such an easy task to do, especially if both ends are the same. There is not much that you need to think about ;-)
-
I think, one or two or maybe more tutorials will make that thing easier. Mostly you connect to other appliance than pfSense. This is the real hard thing where more possibilities make life easier. Thinking in just that about special settings, one is supported on the other side, others not. Without all settings available you will be lost.
A good example for IPSEC-clients is ipsecuritas. (For mac only). Best soft I know, free and lots of tutorials and Help.So if anyone has success with a special setting, make it public for others please! Thanks.
-
There are lots of interoperability examples on the doc wiki and in the book as well. I suppose they will need redone for 2.0 but the basic options are all still there, just some added ones that can help even further.
-
If you have a good understanding of IPSec then you will get the tunnels up and running. We have connected our WatchGuards to almost every kind of other firewall system with success. Sometimes it needs some "tuning" but most of the time all "enterprise" products have the same settings so it is not a big deal…
-
If you have a good understanding of IPSec then you will get the tunnels up and running. We have connected our WatchGuards to almost every kind of other firewall system with success. Sometimes it needs some "tuning" but most of the time all "enterprise" products have the same settings so it is not a big deal…
I can echo this sentiment. I have yet to see another router device which was unable to talk to pfSense using IPsec. Client devices and software are a little different, but most of those work as well. (Several software clients are also covered in the book, by the way)
-
If you have a good understanding of IPSec then you will get the tunnels up and running. We have connected our WatchGuards to almost every kind of other firewall system with success. Sometimes it needs some "tuning" but most of the time all "enterprise" products have the same settings so it is not a big deal…
Sometimes it's just the terminology between endpoint identifier types.
