IPsec IKE, HIP, pfSense
-
Recently I have been researching Host Identity Protocol (HIP), and through the course of that research the question arose if pfSense could be a HIP endpoint. I believe it could pass it no problem, but I was curious. HIP uses IPsec IKE as part of its security platform. I started reading about it here and there seems to be many issues with it in conjunction with pfSense. Here are my questions:
Has anyone installed HIP on pfsense?
What was your procedure?
What is the current status of IPsec IKE and pfsense 2.2.4?
Would you recommend upgrading to 2.2.4 if you have VPN currently working?
-
I checked the change logs and it appears that IPsec is a moving target right now.
2.2.3
https://doc.pfsense.org/index.php/2.2.3_New_Features_and_Changes
2.2.4
https://doc.pfsense.org/index.php/2.2.4_New_Features_and_Changes
2.2.5
https://doc.pfsense.org/index.php/2.2.5_New_Features_and_ChangesAlso, this page was modified recently. But I don't see anything that specifically refers to the latest versions.
https://doc.pfsense.org/index.php/Upgrade_Guide
-
I think I found what I want in the documentation about how to setup IPsec IKEv2, but any info on the other questions would be helpful.
-
This is a good reference for learning the basics of IPsec IKEv2 and strongSwan. strongSwan is the IPsec daemon in pfSense.
https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan
-
I can't believe all of the options available. It is ridiculous. Guidance seems minimal as well. If we need all of the options then great! Create recipes of known good configurations. Otherwise learning curve is like pole-vaulting a football field.
This resource has pictures!
Steve Friedl's Unixwiz.net Tech Tips
An Illustrated Guide to IPsec
http://www.unixwiz.net/techtips/iguide-ipsec.htmlHmmm, For the German (Deutsch) speakers out there. I think I lost something in google translate.
http://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html