Configuring Third Party IPsec Devices

Any VPN device which supports standard IPsec may be connected to a device running pfSense® software. pfSense software is used in production in combination with numerous vendors’ equipment, and will most likely work fine with any IPsec capable devices encountered in other networks. Connecting devices from two different vendors can be troublesome regardless of the vendors involved because of configuration differences between vendors, in some cases bugs in the implementations, and the fact that some of them use proprietary extensions. Some examples are provided at the end of this chapter for several common Cisco devices.

To configure an IPsec tunnel between pfSense software and a device from another vendor, the primary concern is to ensure that the phase 1 and 2 parameters match on both sides. For the configuration options on pfSense, where it allows multiple options to be selected, only select one of those options and ensure the other side is set the same. The endpoints will attempt to negotiate a compatible option when multiple options are selected, however that is frequently a source of problems when connecting to third party devices. Configure both ends to what are believed to be matching settings, then save and apply the changes on both sides.

Once the settings match on both ends of the tunnel, attempt to pass traffic over the VPN to trigger its initiation then check the IPsec logs on both ends to review the negotiation. Depending on the situation, the logs from one end may be more useful than those from the opposite end, so it is good to check both and compare. The pfSense software side typically provides better information in some scenarios, while on other occasions the other device provides more useful logging. If the negotiation fails, determine whether it was phase 1 or 2 that failed and thoroughly review the settings accordingly, as described in Troubleshooting IPsec VPNs. The side that is initiating often cannot see why, so check the logs on the responding side first.

Terminology Differences

Another frequent source of failures is differences in terminology between vendors. Here are a few common things to look out for:

Policy-Based VPN/IPsec:

The type of IPsec used by pfSense software in tunnel mode. Policies are defined which control traffic entering the tunnel (e.g. Phase 2 entries).

Encryption Domain, Policy, Proxy ID:

A network definition used in Phase 2 to control which traffic will be handled by IPsec.

On some platforms, including Palo Alto, these “Proxy ID” definitions are used in Phase 2 (IPsec) negotiation to inform the remote peer about traffic selectors for networks involved in the VPN. In these cases, they help with negotiation between a device supporting only route-based IPsec and a device that only supports policy-based IPsec.

Route-Based VPN/IPsec:

The type of IPsec used by pfSense software in VTI mode. There is an IPsec interface which routes similar to other interfaces and obeys the routing table, rather than relying on policies.

S2S or L2L:

Short for Site-to-Site or LAN-to-LAN, distinguished from a mobile client style VPN.

Perfect Forward Secrecy (PFS):

Some vendors have different names for PFS. It may only be a toggle which uses the same value as the Phase 1 DH Group, others label it with full text or the acronym, others label it DH Group. It may also be labeled MODP in some implementations.

Transform Set:

On Cisco devices, a set of parameters which define Phase 2 handling such as encryption and hash algorithms.

ISAKMP Policy:

On Cisco devices, a set of parameters that define Phase 1 (IKE) handling such as authentication, encryption, and hash algorithms, and others.

Proposals:

On Juniper and Fortigate, sets of options that define parameters for Phase 1 (IKE) or Phase 2 (IPsec) handling.

NAT Exemption or no-nat:

On Juniper and Cisco, exceptions to NAT that must be made to ensure that traffic traversing a VPN does not have NAT applied. Not generally relevant to IPsec on pfSense software since NAT is not performed on IPsec by default.

Lifebytes or Traffic Lifetime:

Limits on the amount of traffic sent over a VPN before it renegotiates. Not currently supported in the pfSense software GUI. If present on a remote device it may need to be disabled.

Compatible Devices

Nearly any device supporting standard IPsec can be connected with pfSense software. This page lists devices reported to work by users, though it should not be considered complete.

Warning

Ensure firmware is up-to-date on devices before attempting to configure IPsec. Older devices and firmware may not support modern secure algorithms and standards.

  • Adtran

  • Cisco routers

  • Cisco PIX and ASA firewalls

  • Checkpoint NG

  • DLink VPN Routers

  • Draytek VPN routers

  • IBM z/OS mainframes

  • IPCop

  • Juniper routers and firewalls

  • Kerio Control

  • LANCOM VPN Routers with LCOS

  • Linksys VPN Routers

  • m0n0wall

  • Mikrotik

  • Nortel Contivity

  • Palo Alto Networks

  • Sonicwall

  • StoneGate Firewall/VPN

  • Ubiquiti Unifi Security Gateway

  • Watchguard

  • Zyxel firewalls

… and many more.

If a device is not listed and is known to work with pfSense software for IPsec, please submit a documentation update.

Consult the device documentation for IPsec configuration details.