pfSense Gold Subscription

Author Topic: Anything similar to Juniper's st interface?  (Read 1639 times)

0 Members and 1 Guest are viewing this topic.

Offline rebus9

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Anything similar to Juniper's st interface?
« on: July 28, 2015, 01:51:43 pm »
I have over a dozen company locations across the region connecting to our colocation facility, all using Juniper SRX'es. 

On the Junipers, when the VPN is set up, a secure-tunnel virtual interface is created (ex: st0.1) to terminate the tunnel.  That st0.x interface and the one at the other end, are numbered in a /30, just like any other WAN link.  Routing for our internal subnets is done using the other end of the /30 as next-hop.

We're looking to add another location, and instead of spending $$$ for more Juniper, I've been experimenting with pfsense.  Looks like a REALLY NICE product.

However, I can't find anything analogous to Juniper's numbered virtual interfaces in pfsense for VPN.  For sake of consistency, I want to keep numbered interfaces as tunnel endpoints, and not just routing across unnumbered tunnels.

I've briefly read through the VPN docs and a clear answer didn't jump out. 

Any advice?  Thanks in advance.


Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21408
  • Karma: +1437/-26
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #1 on: July 28, 2015, 02:00:17 pm »
OpenVPN works that way, but IPsec currently does not.

What you're after is also known as "Routed IPsec" or "Route-based IPsec". It's something we'd like to see, but it doesn't exist yet.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline rebus9

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #2 on: July 28, 2015, 02:13:20 pm »
Thanks.  That's a deal-breaker in our environment.  I'll keep watching in the future, though.

Anyway, to the extent I've experimented with pfsense (NAT, port forwarding, etc.) it seems polished, well done.  Cudos to the developers.

« Last Edit: July 28, 2015, 02:17:25 pm by rebus9 »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21408
  • Karma: +1437/-26
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #3 on: July 28, 2015, 02:26:33 pm »
For a VPN with dynamic routing, usually OpenVPN is used with OSPF or in some cases, IPsec in transport mode with a GIF/GRE type tunnel, which gets you closer to that style but not 100% there since it's not quite the same.

Several of us here are interested in seeing this work, but it will require a bit of work to implement (and not just in our code, but at the OS level)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline rebus9

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #4 on: July 28, 2015, 07:47:51 pm »
Several of us here are interested in seeing this work, but it will require a bit of work to implement (and not just in our code, but at the OS level)

It's a shame the OS doesn't support it (yet) because Juniper's implementation is such a cakewalk.  I would love to see pfsense worked into our Juniper network going forward.  We can do with those Juniper routed IPSec tunnels pretty much anything we could do with an ordinary point-to-point link.  So much so, that at times I (almost) forget I'm working with virtual connections.

It's also ironic, since JUNOS is based on FreeBSD.


Offline rebus9

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #5 on: August 05, 2016, 02:05:15 pm »
For a VPN with dynamic routing, usually OpenVPN is used with OSPF or in some cases, IPsec in transport mode with a GIF/GRE type tunnel, which gets you closer to that style but not 100% there since it's not quite the same.

Several of us here are interested in seeing this work, but it will require a bit of work to implement (and not just in our code, but at the OS level)

It's been a year since this original discussion, and we're approaching the need to add a couple more locations.  Before I ping our Juniper vendor for a quote, has Routed IPSec come any closer to reality in pfSense yet?  My Google Fu isn't returning any search results for the positive, so I'm hoping the community can give a definitive answer.

Thanks in advance, as always.
« Last Edit: August 05, 2016, 02:11:48 pm by rebus9 »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21408
  • Karma: +1437/-26
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #6 on: August 05, 2016, 02:06:18 pm »
Nope. No closer yet.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline rebus9

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #7 on: August 05, 2016, 02:12:23 pm »
Bummer.... but thanks for the clarification.

Offline rebus9

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #8 on: February 21, 2017, 09:24:16 pm »
Nope. No closer yet.

Has routed IPsec made it onto the future roadmap yet, or still too far over the horizon to see?  I like to check once or twice a year. 

I have to make another Juniper purchase fairly soon.  While the up-front purchase price isn't terrible considering the quality, we have so many units in service now from all the location we've added, our annual spend for support renewals far exceeds what we spend on new equipment each year.   

I'm staying cautiously optimistic that some day I'll be able to replace Juniper with pfSense, and keep some of that money in my budget for other useful things.


Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21408
  • Karma: +1437/-26
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #9 on: February 21, 2017, 09:26:27 pm »
It was recently imported into FreeBSD head, should be in FreeBSD 12, so maybe pfSense 2.5 will have it if all goes well.

https://svnweb.freebsd.org/base?view=revision&revision=309115
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline rebus9

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #10 on: December 07, 2017, 08:52:40 am »
Any updates on Routed IPsec support yet?  This is the only thing I'm aware of that's holding us back from pfSense. 

We use OSPF and IPSec tunnels throughout the company (many locations across the state) and without that support, we're stuck on our current Juniper SRX platform.

We're seeing roughly a 40% failure rate in our branch SRX units, and that is scaring us away from Juniper.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21408
  • Karma: +1437/-26
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #11 on: December 07, 2017, 09:03:21 am »
The support is there at the OS level in 2.4.x (see if_ipsec(4)) but we don't have any code to hook into it yet. No ETA though.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline rebus9

  • Newbie
  • *
  • Posts: 13
  • Karma: +1/-0
    • View Profile
Re: Anything similar to Juniper's st interface?
« Reply #12 on: December 07, 2017, 01:12:15 pm »
Thank you.  I'm sad to hear it, because I definitely liked what I saw when I tested pfSense 2 years ago.

The lack of Routed IPsec is the only thing preventing us from making it a serious contender.  For now, we'll have to keep shoveling money at Juniper-- something I'm increasingly uneasy about, given their device failure rates of late.