Possible to Create a Virtual LAN over Internet using IPSec instead of OpenVPN?



  • I currently have a network of SnapGear routers that create a virtual network over the Internet via IPSec.  While I'd love to switch over to OpenVPN, I'm not able to do that today.  Going forward, I'd like to use PFSense boxes instead of the SnapGears and add them to the existing network, but without interrupting the existing network.  Unfortunately, I haven't been able to figure out how to configure to do so yet… it could be that some of the functionality in the Secure Computing product just isn't available within PFSense yet.

    Currently the network looks like
    SnapGear Router <-> Internet <-> SnapGear Router (e.g. Gateway) <-> Various Servers (some VM images)
    and I'd like to add
    PFSense Router <-> Internet <-> SnapGear Router (e.g. Gateway) <-> Various Servers (some VM images)

    Features that are currently being used within the SnapGear that I'd prefer not to change and therefore needs to be supported
    Router must own its own subnet (e.g. 192.168.90.0/24, 192.168.91.0/24, etc) and provide DHCP out of this scope
    Aggressive Key Mode for IPSec
    Authentication is based on a pre-shared secret
    Endpoint ID (e.g. Router1@Gatway1, Router2@Gateway1, etc)
    Dead Peer detection (I believe I read that's supported)
    3DES Diffie Heilman Group 2 (1024 bit)
    Local Address is Dynamic, Remote is Static (I believe there wouldn't be an issue here)

    I think the biggest sticking point is what SnapGear calls "definitions."  For example, the PFSense router needs to have a route built-in that states that that FTP Server 1 is within the subnet 10.152.0.0/16 or that the Mail Server 1 is within the subnet 172.16.0.0/24.  Within the Phase 2 of the IPSec transaction the PFSense router needs to map the LAN port of the PFSense to the remote network.

    Is this possible, or still a few software releases out?  I'd be more than happy to share any screenshots if that will help aid if making myself a bit more clear.

    Thanks!
    Brad


Log in to reply