Ipsec bridged vpn ?

  • Does anyone know if it is possible to make an bridged ipsec vpn ? Need to check out this because I am running vmware at 2 different locations, and for failover it would be great to use both vmware farms to run each others virtual machines. Therefore i have played with the idea of using same subnet at both locations. I know there is a option for running bridge vpn with sonicwall, but i prefer Pfsense as i think it is better.
    Also, would it be possible to broadcast netbios over ipsec vpn ? Any help would be Grateful

  • Rebel Alliance Developer Netgate

    It can be done, but it isn't just IPsec. You can setup IPsec in transport mode between WAN IPs of the hosts, to secure communications between them, and then add a GIF tunnel to connect and pass traffic between the routers, and you can bridge the GIF interface to LAN.

    It works, but I would try to avoid bridging wherever possible.

  • Thanks Jimp !
    What is GIF? I cannot find GIF anyplace in my firewall. I am using version 1.2.3-release. Do i need to upgrade my version or download a specific package for getting the GIF opportunity?

  • Rebel Alliance Developer Netgate

    It's a type of tunneling interface.

    It's only on 2.0.

  • Thanks again!
    I will download 2.0 and try it.

  • Hi….I'm trying to do the same thing for testing/experimentation purposes...
    I have setup the IPSEC in transport mode, I think I am having trouble with the GIF/bridging piece of it.

    Hopefully someone can help me shed some light on where I am going wrong....my desired end result is a LAN at layer 2 stretched across the WAN (while being secure)

    Right now I cannot ping any hosts on the opposite end of the tunnel

    Below is my config...let me know if you need to see more....all firewall rules for all interfaces except wan are */any

    I should also note that both of these pfsense machines are on vmware esxi boxes...



    Thanks for any help!

  • Ok…so this config DOES actually work...I had to set my vmware adapter to 'allow promiscuous mode' (doh), now I can ping hosts on both sides.

    Hope this helps anyone with a similar issue!

Log in to reply