Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Make setting up IPSec site to site VPN's easier

    2.0-RC Snapshot Feedback and Problems - RETIRED
    4
    11
    5073
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rugby last edited by

      We have historically used SG routers for our clients but we're taking a look at PFSense, specifically 2.0 as it seems to have a more polished interface and shows us nice pretty graphs of where our data is going.

      The SG (Now McAfee UTM Firewalls) have a really nice feature of having a "simple" site to site IPSec setup.  Just complete this on both devices and you're done.  I have attached a screenshot.

      1 Reply Last reply Reply Quote 0
      • J
        jlepthien last edited by

        Easier? It is more than easy now. Look at some big StoneGates…..That is not easy ;-)

        Edit: End with this lame setup you even cannot decide which settings you like. What kind of encryption? Hash? Lifetimes? Pretty insecure....

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          That method also does not let you have multiple phase 2 subnets, like the one on 2.0 does.

          There is always a securty-vs-convenience tradeoff. Nothing (really) easy is (really) secure, or in this case, also flexible/configurable.

          Though someone could write a simple IPsec wizard which would take basic settings such as this and setup the tunnel which can later be adjusted by hand.

          1 Reply Last reply Reply Quote 0
          • R
            rugby last edited by

            @jlepthien:

            Easier? It is more than easy now. Look at some big StoneGates…..That is not easy ;-)

            Edit: End with this lame setup you even cannot decide which settings you like. What kind of encryption? Hash? Lifetimes? Pretty insecure....

            You can do an advanced setup on the SG's and define all of that information.  That's how I get my PFSense 2 boxes to communicate with them.  I am not an IPSec dummy, but for the life of me I cannot get 2 PFsense 2 boxes to establish site to site IPSec vpn tunnels for some reason.  both have static IP's and still no luck.

            1 Reply Last reply Reply Quote 0
            • R
              rugby last edited by

              @jimp:

              That method also does not let you have multiple phase 2 subnets, like the one on 2.0 does.

              There is always a securty-vs-convenience tradeoff. Nothing (really) easy is (really) secure, or in this case, also flexible/configurable.

              Though someone could write a simple IPsec wizard which would take basic settings such as this and setup the tunnel which can later be adjusted by hand.

              I think a wizard might be a good idea.  There are SO many options available that streamlining the process might work.

              1 Reply Last reply Reply Quote 0
              • J
                jlepthien last edited by

                Nowadays IPSec is such an easy task to do, especially if both ends are the same. There is not much that you need to think about ;-)

                1 Reply Last reply Reply Quote 0
                • _
                  _igor_ last edited by

                  I think, one or two or maybe more tutorials will make that thing easier. Mostly you connect to other appliance than pfSense. This is the real hard thing where more possibilities make life easier. Thinking in just that about special settings, one is supported on the other side, others not. Without all settings available you will be lost.
                  A good example for IPSEC-clients is ipsecuritas. (For mac only). Best soft I know, free and lots of tutorials and Help.

                  So if anyone has success with a special setting, make it public for others please! Thanks.

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    There are lots of interoperability examples on the doc wiki and in the book as well. I suppose they will need redone for 2.0 but the basic options are all still there, just some added ones that can help even further.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jlepthien last edited by

                      If you have a good understanding of IPSec then you will get the tunnels up and running. We have connected our WatchGuards to almost every kind of other firewall system with success. Sometimes it needs some "tuning" but most of the time all "enterprise" products have the same settings so it is not a big deal…

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        @jlepthien:

                        If you have a good understanding of IPSec then you will get the tunnels up and running. We have connected our WatchGuards to almost every kind of other firewall system with success. Sometimes it needs some "tuning" but most of the time all "enterprise" products have the same settings so it is not a big deal…

                        I can echo this sentiment. I have yet to see another router device which was unable to talk to pfSense using IPsec. Client devices and software are a little different, but most of those work as well. (Several software clients are also covered in the book, by the way)

                        1 Reply Last reply Reply Quote 0
                        • R
                          rugby last edited by

                          @jlepthien:

                          If you have a good understanding of IPSec then you will get the tunnels up and running. We have connected our WatchGuards to almost every kind of other firewall system with success. Sometimes it needs some "tuning" but most of the time all "enterprise" products have the same settings so it is not a big deal…

                          Sometimes it's just the terminology between endpoint identifier types.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post

                          Products

                          • Platform Overview
                          • TNSR
                          • pfSense Plus
                          • Appliances

                          Services

                          • Training
                          • Professional Services

                          Support

                          • Subscription Plans
                          • Contact Support
                          • Product Lifecycle
                          • Documentation

                          News

                          • Media Coverage
                          • Press
                          • Events

                          Resources

                          • Blog
                          • FAQ
                          • Find a Partner
                          • Resource Library
                          • Security Information

                          Company

                          • About Us
                          • Careers
                          • Partners
                          • Contact Us
                          • Legal
                          Our Mission

                          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                          Subscribe to our Newsletter

                          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                          © 2021 Rubicon Communications, LLC | Privacy Policy