Ipsec and Windows VPN



  • Hi guys, i'm really liking the look of pfsense 2 and have recently started to test it, so far so good, until…

    The current issue is that I cannot get VPN working, all I wish to do is create a client VPN tunnel using the windows VPN client (windows 7).

    I'm not asking somebody to 'do it for me', but I would appreciate a little guidance as i've tried for days now and I just can't quite get it to work.

    Infact maybe my question should be, does it even work? Is it possible?

    If I can't get it to work I will have to look at other solutions, such as CAG, maybe open VPN etc, but ideally I would like to use the native windows VPN client.

    It's holding me up now and its getting a little frustrating as everything else seems to work so well!

    so...

    1.) Is it possible, does it work? (client behind NAT)
    2.) has anybody ever got it working?
    3.) is there anything i should know/common errors?
    4.) any settings on the client that need changing? handshake / security etc?

    Thanks!  ;)



  • Infact it doesn't even work over the LAN interface… I must be missing something fundamental here?  (obviously I changed the interface and allow rules for LAN rather than WAN).

    hmm any ideas? :)



  • with PPTP and native windows VPN, you should look over this: http://doc.pfsense.org/index.php/PPTP_VPN

    PPTP for iOS devices is simple to setup too: https://discussions.apple.com/thread/1776886?start=0&tstart=0

    If you're looking for Windows based IPSEC using SHREW software (highly recommended), then this works for us: http://forums.smallnetbuilder.com/showthread.php?t=6205

    I gave up on windows vpn a while back when none of our SSL VPN routers would work with 64 bit windows.  Since switching to SHREW and IPSEC, we haven't looked back.  It's fast, and once the profiles are created you can send them via email etc. for folks to import into their own SHREW installation.  As we've gone through routers from Draytek, Netgear, and now pfsense, the SHREW profiles for each router are archived making an emergency hardware swap very painless at the client side.



  • Thanks for the reply :)

    I think I will add an additional interface, and then use another public IP to route traffic to a dedicated VPN device in that case, I prefer to keep things modular anyway.


Log in to reply