Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible to Create a Virtual LAN over Internet using IPSec instead of OpenVPN?

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bradchapin
      last edited by

      I currently have a network of SnapGear routers that create a virtual network over the Internet via IPSec.  While I'd love to switch over to OpenVPN, I'm not able to do that today.  Going forward, I'd like to use PFSense boxes instead of the SnapGears and add them to the existing network, but without interrupting the existing network.  Unfortunately, I haven't been able to figure out how to configure to do so yet… it could be that some of the functionality in the Secure Computing product just isn't available within PFSense yet.

      Currently the network looks like
      SnapGear Router <-> Internet <-> SnapGear Router (e.g. Gateway) <-> Various Servers (some VM images)
      and I'd like to add
      PFSense Router <-> Internet <-> SnapGear Router (e.g. Gateway) <-> Various Servers (some VM images)

      Features that are currently being used within the SnapGear that I'd prefer not to change and therefore needs to be supported
      Router must own its own subnet (e.g. 192.168.90.0/24, 192.168.91.0/24, etc) and provide DHCP out of this scope
      Aggressive Key Mode for IPSec
      Authentication is based on a pre-shared secret
      Endpoint ID (e.g. Router1@Gatway1, Router2@Gateway1, etc)
      Dead Peer detection (I believe I read that's supported)
      3DES Diffie Heilman Group 2 (1024 bit)
      Local Address is Dynamic, Remote is Static (I believe there wouldn't be an issue here)

      I think the biggest sticking point is what SnapGear calls "definitions."  For example, the PFSense router needs to have a route built-in that states that that FTP Server 1 is within the subnet 10.152.0.0/16 or that the Mail Server 1 is within the subnet 172.16.0.0/24.  Within the Phase 2 of the IPSec transaction the PFSense router needs to map the LAN port of the PFSense to the remote network.

      Is this possible, or still a few software releases out?  I'd be more than happy to share any screenshots if that will help aid if making myself a bit more clear.

      Thanks!
      Brad

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.