Tuesday, November 16, 2010

Site to Site IPCop to pfSense VPN

NOTE:  Spoofing the MAC Address of your WAN adapter breaks IPSec in PFSense 1.2.3

Since IPCop seems to have slowed development to a slow drip (last stable update was 1.4.21 and it was made available in 2008, but a new beta was recently released - you can get it here), I am beginning the migration from IPCop to pfSense.  The extra features and reports will be most welcome, but this will require replacing 20+ IPCop's across four states - all are connected to one central IPCop via VPN.  I must focus on minimizing disruption to the end users - simultaneous replacement of all of the units is out of the question.

I considered an IPCop and an pfSense firewall running in a side-by-side configuration with the new pfSense on our second public IP, but this means added hardware and complication with regards to routing.

Once these settings have been completed it is a ready drop-in for the IPCop and the far IPCop should require no additional configuration.

Rummaging around in the IPCop docs I found that its bundled VPN server uses IPSec.  Rummaging around in the pfSense forums yielded a sparse description of the settings that allowed pfSense and IPCop to establish VPN communications - see http://www.perkiset.org/forum/all_things_general_tech/vpn_tunnel_helper_pfsense_to_ipcop-t2661.0.html - thanks to the author Perkiset for these nuggets of wisdom.  While his exact configuration did not work for me, a slight variation did.  I've reposted his settings but revised them with the ones that worked for me.

IPCop Box:
  • Use pre-shared key
  • Local and remote addresses thus: (a).(b).(c).0/ where a b c is the LAN address of the remote network
  • Dead Peer detection set to restart
  • IKE Encryption: Blowfish 256, Blowfish 128
  • IKE Integrity: SHA and MD5
  • IKE Grouptype: MODP 1536
  • ESP Encryption: Blowfish 256, Blowfish 128
  • ESP Integrity: SHA1 & MD5
  • ESP Grouptype: Phase1 Group
  • ESP Keylife: 8 hours
  • IKE + ESP: Unchecked
  • IKE Aggressive: Not checked
  • PFS: Checked
  • Negotiate Payload: Unchecked

pfSense Box:
  • Local subnet: LAN subnet
  • Remote subnet: (a).(b).(c).0 / 24
  • Remote gateway is the public address or domain name of the remote network
  • Negotiation Mode: Main
  • Indentifier: My IP Address
  • Encryption Algo: Blowfish
  • Hash Algo: SHA1
  • DH Key Group: 5
  • Lifetime - leave blank
  • Authentication method: preshared-key
  • Phase 2, Protocol: ESP
  • Encryption Algo: Blowfish
  • Hash Algos: SHA1 & MD5
  • PFS Keygroup: 2
  • Lifetime: 28800 Seconds
  • Ping Host: This is redundant to the Dead Peer detection in IPCop, which will execute a restart