pfSense English Support > IPsec

Anything similar to Juniper's st interface?

(1/3) > >>

rebus9:
I have over a dozen company locations across the region connecting to our colocation facility, all using Juniper SRX'es. 

On the Junipers, when the VPN is set up, a secure-tunnel virtual interface is created (ex: st0.1) to terminate the tunnel.  That st0.x interface and the one at the other end, are numbered in a /30, just like any other WAN link.  Routing for our internal subnets is done using the other end of the /30 as next-hop.

We're looking to add another location, and instead of spending $$$ for more Juniper, I've been experimenting with pfsense.  Looks like a REALLY NICE product.

However, I can't find anything analogous to Juniper's numbered virtual interfaces in pfsense for VPN.  For sake of consistency, I want to keep numbered interfaces as tunnel endpoints, and not just routing across unnumbered tunnels.

I've briefly read through the VPN docs and a clear answer didn't jump out. 

Any advice?  Thanks in advance.

jimp:
OpenVPN works that way, but IPsec currently does not.

What you're after is also known as "Routed IPsec" or "Route-based IPsec". It's something we'd like to see, but it doesn't exist yet.

rebus9:
Thanks.  That's a deal-breaker in our environment.  I'll keep watching in the future, though.

Anyway, to the extent I've experimented with pfsense (NAT, port forwarding, etc.) it seems polished, well done.  Cudos to the developers.

jimp:
For a VPN with dynamic routing, usually OpenVPN is used with OSPF or in some cases, IPsec in transport mode with a GIF/GRE type tunnel, which gets you closer to that style but not 100% there since it's not quite the same.

Several of us here are interested in seeing this work, but it will require a bit of work to implement (and not just in our code, but at the OS level)

rebus9:

--- Quote from: jimp on July 28, 2015, 02:26:33 pm ---Several of us here are interested in seeing this work, but it will require a bit of work to implement (and not just in our code, but at the OS level)

--- End quote ---

It's a shame the OS doesn't support it (yet) because Juniper's implementation is such a cakewalk.  I would love to see pfsense worked into our Juniper network going forward.  We can do with those Juniper routed IPSec tunnels pretty much anything we could do with an ordinary point-to-point link.  So much so, that at times I (almost) forget I'm working with virtual connections.

It's also ironic, since JUNOS is based on FreeBSD.

Navigation

[0] Message Index

[#] Next page

Go to full version