IPSec VPN from windows 7 client



  • Hey,

    im doing this as part of a school project and could really use some help.

    Is it possible to use an IPSec VPN tunnel from my windows 7 client to the LAN side of a pfsense firewall box and obtain an ip address of the LAN?

    I have the WAN side configured with 192.168.2.254, and the LAN as 192.168.3.1. i have successfully VPN'd in using this guide, and many others like it.

    http://dekapitein.vorkbaard.nl/tech-1/how-to-set-up-ipsec-tunneling-in-pfsense-2-0-release-for-road-warriors

    however, i can never get an ip address via dhcp or any other means that is on the same subnet as the other machines on my LAN, which is what i need.

    let me know if i can answer any questions about my setup.

    Cheers!



  • Try following this??

    Youtube Video

    Also can i suggest maybe using PPTP? I set that up the other day and it seems much easier and better! and clientless because the PPTP is built into Microsoft and MAC products.

    Youtube Video



  • @craigduff:

    It seems much easier and better!

    Just easier not better  ;)


  • Rebel Alliance Developer Netgate

    Windows 7 wants L2TP+IPsec, not plain IPsec.

    That does not work with pfSense.



  • @jimp:

    Windows 7 wants L2TP+IPsec, not plain IPsec.

    That does not work with pfSense.

    okay, thank you. could you suggest a method that i could use to get windows vpn connectivity using a centos server. it needs to be a secure method. i have been searching for a while but havent managed to find anything suitable for me.

    cheers!



  • Use openvpn.



  • @marcelloc:

    Use openvpn.

    i second that



  • @jimp:

    Windows 7 wants L2TP+IPsec, not plain IPsec.

    This is correct for previous Windows releases but Windows 7 actually has native ipsec only support but you have to use IKEv2. I am using this successfully with StrongSwan as a VPN-server and have done so almost since the release of Windows 7.

    I set up racoon at first but the lacking IKEv2 support was a show stopper, and pfSense is based on racoon isn't it?

    OpenVPN is however nice if you can accept the fact that you need a separate client application. The problem with OpenVPN is that it is running in user land and also single threaded as far as I know. It doesn't scale well at all. I did some performance testing between the two since I have both options configured on my (Linux based) firewall and OpenVPN used almost 20% of one Core 2 Duo E8400 core just to push 36 mbit/s with iperf (the limitation of the link in the other end), while ipsec used only 1-4% to do the same with AES256 and ipsec is also multithreaded to scale better in large setups.

    This doesn't really matter if you use low speed links with just a couple of roadwarriors but it should be concidered if you are planning large deployments.

    I also have a new server which have AES-NI support which should decrease the ipsec CPU usage even more but I haven't really been motivated to configure it to test.



  • Yep, under Linux one has the option of L2TP+IPsec by using openl2tp (http://www.openl2tp.org/) with racoon or StrongSWAN/OpenSWAN (note: the latter exhibit some bug which was fixed with a commit to the 3.2-rc5 linux kernel).

    StrongSWAN offers IKEv2 and has been ported to FreeBSD, but with certain limitations, see http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD

    Limitations
    Due to the lack of policy based routes, virtual IPs can not be used (client-side).
    The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.


Log in to reply