Since IPCop seems to have slowed development to a slow drip (last stable update was 1.4.21 and it was made available in 2008, but a new beta was recently released - you can get it here), I am beginning the migration from IPCop to pfSense. The extra features and reports will be most welcome, but this will require replacing 20+ IPCop's across four states - all are connected to one central IPCop via VPN. I must focus on minimizing disruption to the end users - simultaneous replacement of all of the units is out of the question.
I considered an IPCop and an pfSense firewall running in a side-by-side configuration with the new pfSense on our second public IP, but this means added hardware and complication with regards to routing.
Once these settings have been completed it is a ready drop-in for the IPCop and the far IPCop should require no additional configuration.
Rummaging around in the IPCop docs I found that its bundled VPN server uses IPSec. Rummaging around in the pfSense forums yielded a sparse description of the settings that allowed pfSense and IPCop to establish VPN communications - see http://www.perkiset.org/forum/all_things_general_tech/vpn_tunnel_helper_pfsense_to_ipcop-t2661.0.html - thanks to the author Perkiset for these nuggets of wisdom. While his exact configuration did not work for me, a slight variation did. I've reposted his settings but revised them with the ones that worked for me.
IPCop Box:
- Use pre-shared key
- Local and remote addresses thus: (a).(b).(c).0/255.255.255.0 where a b c is the LAN address of the remote network
- Dead Peer detection set to restart
- IKE Encryption: Blowfish 256, Blowfish 128
- IKE Integrity: SHA and MD5
- IKE Grouptype: MODP 1536
- ESP Encryption: Blowfish 256, Blowfish 128
- ESP Integrity: SHA1 & MD5
- ESP Grouptype: Phase1 Group
- ESP Keylife: 8 hours
- IKE + ESP: Unchecked
- IKE Aggressive: Not checked
- PFS: Checked
- Negotiate Payload: Unchecked
pfSense Box:
- Local subnet: LAN subnet
- Remote subnet: (a).(b).(c).0 / 24
- Remote gateway is the public address or domain name of the remote network
- Negotiation Mode: Main
- Indentifier: My IP Address
- Encryption Algo: Blowfish
- Hash Algo: SHA1
- DH Key Group: 5
- Lifetime - leave blank
- Authentication method: preshared-key
- Phase 2, Protocol: ESP
- Encryption Algo: Blowfish
- Hash Algos: SHA1 & MD5
- PFS Keygroup: 2
- Lifetime: 28800 Seconds
- Ping Host: This is redundant to the Dead Peer detection in IPCop, which will execute a restart
