Created a IPsec road-warrior howto for PfSense 2.0-BETA5

Vorkbaard

Hello, I spent some time trying to get IPsec tunnels for road warriors to work on PfSense 2.0-BETA5 and I documented the whole thing in a howto: http://www.huijgen.com/tunnel. Perhaps it can be of use to someone. Feel free to take it, republish it or improve on it.

rpsmith

Vorkbaard,

Why not just use OpenVPN?  is there some advantage to IPsec?

BTW, very nice how-to!

Roy…

Vorkbaard

Because I don't know how to get OpenVPN to work. I tried. I failed with OpenVPN but IPsec worked. So there :P

Also, thanks :)

rpsmith

with 2.0, OpenVPN is a piece of cake.  It's way easier than the IPsec stuff you figured out.  :)

Roy…

Vorkbaard

Everything's easy once you know how to do it :)

rpsmith

good point  :)

I'm no OpenVPN expert but if you decide to give it another try, I would be glad to give you any help that could.

Roy…

Vorkbaard

I will, thank you! Can you suggest a howto or tutorial for OpenVPN on PfSense 2.0-BETA? My main problem is lack of knowledge of ways outside of PfSense to create and manage certificates.

rpsmith

I really haven't got that far yet.  I just using the OpenVPN Wizard to create the service and then used the OpenVPN Client Export Utility to create the necessary client files.  so I only have a single user account working at this point and haven't really played around with any external certificates.

Roy…

Vorkbaard

Ok, I got OpenVPN to work. The internal CA is pretty handy and the Client Export Package is a great help.

From a user perspective I prefer IPsec however. The Shrew Soft VPN client requires less work from the user to get it to run and connect it to the corp network. On the other hand OpenVPN can connect to multiple subnets. I guess that PfSense 2.0 will allow IPsec for that as well but that used to be a real pain with IPsec.

Anyway it's nice to have more options.

What I'd really like to get working it L2TP so we can connect our Windows Mobile devices and laptops to dial into the corp network without a third party client.

jdetmold

@Vorkbaard:

What I'd really like to get working it L2TP so we can connect our Windows Mobile devices and laptops to dial into the corp network without a third party client.

+1 would love to figure out how to get that working!

jimp

IPsec+L2TP isn't likely to work how most people might want to it (like for Windows clients) on 2.0. At least not for clients that connect from dynamic IPs.

Vorkbaard

That's nice to know in advance, jimp, thanks ;)

Pontiac_CZ

Vorkbaard: it's a nice tutorial, thank you, I'm definitely going to give it a try. Just a question about Shrew Soft VPN client: it sure must be installed and configured by an admin, but - can it be succesfully run by a regular limited user?

Because that's what I hate about OpenVPN client for Windows - it needs to be run under administrator rights. And I don't like the idea of giving the sales people admin credentials… :(

Vorkbaard

Yes, we do that all the time. Works fine for regular users who are not local admins on their machines.

Pontiac_CZ

Great info, thank you!  :)