Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Replacing Cisco VPN infrastructure with pfSense?

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mzac
      last edited by

      Hi, I work at a university and we are looking at replacing our aging Cisco PPTP VPN infrastructure.  We have started testing pfSense and so far it seems to be working out very well.  One of our biggest challenges was to get Android devices to work with VPN as all our testing with PPTP and IPSec didn't get anywhere, however we were able to get OpenVPN working very well.

      Our next challenge is to replace PPTP with IPSec, however we would probably still use PPTP in the intern as we get people to migrate to IPSec (however we would setup IPSec at the same time).  My issue is that on our Cisco VPN pool we are using Cisco's ACS Radius server which is talking to a back end Oracle database for user authentication.  As part of the authentication, users are assigned 'pools' of IP ranges depending on what faculty or department they are part of.  Once they get into this pool, they are assigned either a random or static IP which then in turn they have added this IP or range to their ACLs on their departmental servers to give them access to them.

      So where I'm getting to, does anyone know if there is anyway to integrate pfSense IPSec or OpenVPN with Cisco ACS or should we look at setting up a different Radius infrastructure?  We are looking at using Microsoft NPS however I'm not sure that we can push the groups/IP ranges that we need.

      Also, once we push these IPs/ranges to pfSense, I would imagine we would need to setup some NAT rules to make sure their traffic is routed properly?

      Another obstacle in this setup is that if we have more than one pfSense server running (with round robin DNS), could we run OSPF on pfSense to advertise back to our router when it has a user connect to it with their pool or static IP?  I know the OSPF package is available but I'm not sure how it would integrate with IPSec VPN.

      Thanks

      • mzac
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I can't get into a lot of detail due to the complexity of the topic and available time, but here are a few pointers:

        • Ditch PPTP. Don't look back. You're making changes, so now is the time to just dump it, it's completely broken no matter who the backend is: http://forum.pfsense.org/index.php/topic,54255.0.html
        • If you can help it, don't use IPsec, stick with moving forward on OpenVPN.
        • On 2.1, OpenVPN can receive IP assignments and ACLs for users using cisco avpair responses from the RADIUS server, so that would probably do what you want.
        • As long as outbound NAT rules cover the potential client subnets, there would be no need for dynamic NAT rules.

        In the long run, there will be less client headaches and problems on various random remote networks using OpenVPN than either IPsec or RADIUS.
        There are OpenVPN clients for Android, iOS, Windows, Mac, BSD, Linux, etc.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          mzac
          last edited by

          Thanks, we are starting to look at OpenVPN, just need to find some good clients we can use that will be easy for the end user to use.  We need to be able to package a .ovpn file with it since it will have all the config, ca, cert and key in it.

          As far as Cisco avpair responses, I can't seem to find any documentation for openvpn as to what it supports.  Do you know of any?

          Thanks!

          @jimp:

          I can't get into a lot of detail due to the complexity of the topic and available time, but here are a few pointers:

          • Ditch PPTP. Don't look back. You're making changes, so now is the time to just dump it, it's completely broken no matter who the backend is: http://forum.pfsense.org/index.php/topic,54255.0.html
          • If you can help it, don't use IPsec, stick with moving forward on OpenVPN.
          • On 2.1, OpenVPN can receive IP assignments and ACLs for users using cisco avpair responses from the RADIUS server, so that would probably do what you want.
          • As long as outbound NAT rules cover the potential client subnets, there would be no need for dynamic NAT rules.

          In the long run, there will be less client headaches and problems on various random remote networks using OpenVPN than either IPsec or RADIUS.
          There are OpenVPN clients for Android, iOS, Windows, Mac, BSD, Linux, etc.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            There isn't any documentation for it yet. You can get an idea of what it supports by perusing the code here:
            https://github.com/bsdperimeter/pfsense/blob/master/etc/inc/openvpn.auth-user.php#L127
            https://github.com/bsdperimeter/pfsense/blob/master/etc/inc/openvpn.attributes.php

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.