Significant IPsec Improvements now in 1.3!
We are pleased to welcome Matthew Grooms as our newest pfSense committer. As the developer of the Shrew Soft VPN client and an ipsec-tools developer, he brings a vast knowledge of IPsec to our development team.
Matthew recently committed some great IPsec improvements to 1.3. He provided the following, outlining these changes.
Completed Work
- Split IPsec configuration into phase1 and phase2
- Allow for multiple phase2 configurations for a single phase1 – this means you no longer have to create parallel tunnels for routing multiple subnets between two sites.
- Enable a broader range of ID types to be specified
- Improve options for variable length key cyphers ( Blowfish & AES )
- Proper handling of address vs subnet negotiations in phase2
- Introduce Hybrid, Xauth and modecfg support for remote access
- Update Mobile access to allow for more secure policy generation
- Update Mobile access configuration to define modecfg-attributes
- Introduce initial support for user authentication
- NAT-Traversal (NAT-T)
Remaining To Complete
- Improve user management interface for mobile clients
- Introduce RADIUS and LDAP support for extended auth
- Improve IPsec SPD/SAD management to not purge active SAs on reload
- Improve certificate management for IPsec configurations
- Look into support for dyndns -> dyndns IPsec peers
More information
For those not exceptionally familiar with IPsec, the above lists may not tell you much of anything. More information on usage and what all this means will come in the future.
Eye Candy
New tunnels page
New mobile clients screen
New mobile clients phase 1 edit screen
New mobile clients phase 2 edit screen
Trying it out
This work is currently available in 1.3 snapshots. We encourage you to provide feedback on the mailing list or 1.3 board on the forum if you try it.
Kudos
Many thanks to Matthew for all his work on this! When completed, this will bring the most capable IPsec implementation of any open source firewall distribution to pfSense – by far. It will also provide a standards-compliant IPsec solution better than most commercial firewalls (what exists in 1.2 is already better than a number of them).
Tags: 1.3 new features
July 20th, 2008 at 10:16 am
Hi, it looks great, very beautiful
July 20th, 2008 at 11:46 pm
Excellent! Matthew…
Just curious if any of these recent improvements resolves the issue of allowing multiple IPSec connections to the same external host from within the LAN.
Again thank you all for contributing to this project. Your efforts help so many people.
July 20th, 2008 at 11:51 pm
Kevin: that’s not related to pfSense as an IPsec endpoint, which is what Matthew is working on. pfSense now supports NAT-T, which will allow multiple clients behind NAT to connect to it. Connecting to an outside IPsec device requires NAT-T to be enabled on that device, that isn’t relevant to any IPsec configuration in pfSense.
July 21st, 2008 at 1:53 pm
Kevin, That is a problem with “real” IPSEC/ESP using protocol 50. As far as I know, no firewall supports what you ask without NAT-T or some other such encapsulation.
July 21st, 2008 at 4:42 pm
Will these changes find their way into 1.2.1
July 21st, 2008 at 4:43 pm
No, 1.2x is bug fixes only, no new functionality.
July 21st, 2008 at 9:49 pm
If 1.3 gets IPsec compression, too, then it will truly be the best! Any chance of that sneaking in there? FreeBSD should already support the IPcomp flag, I think.
July 21st, 2008 at 10:27 pm
compression is something Matthew is going to look at before he’s finished. It was discussed earlier today on our dev list. Problem is it’s not necessarily compliant with other devices, but it will be looked into.
July 23rd, 2008 at 9:06 am
Will it be possible to:
a) Have multiple mobile users connect using standard Windows XP VPN (IPSEC)?
b) Filter these so they can and cannot reach different destination hosts on the LAN?
c) When will all this be available (in beta and GA)?
July 23rd, 2008 at 10:14 am
Kim:
a) There is no standard IPsec client in Windows XP. You can deploy the Shrew Soft client which works great.
b) Yes, no differently than you can already filter IPsec traffic in 1.2.
c) as always – when it’s ready. we’ll have a development road map up in the next couple months or so
July 23rd, 2008 at 2:54 pm
Will the 1.3 be supporting L2TP with this IPSEC improvement
July 23rd, 2008 at 3:18 pm
L2TP is not part of this, no, it’s a different beast entirely. It is being considered separately. It can run under mpd, this is strictly IPsec as it runs under ipsec-tools.
July 25th, 2008 at 4:01 am
It is possible to restrict user access to a specific destination network based on group inclusion when Xauth is used. I am evaluating the possibility of adding support for this to pfSense. This will require a bit of work with respect to the user management system which is my current focus of development. More details regarding this should surface soon.
August 4th, 2008 at 1:08 am
Re. the per-user restriction, that would help make pfsense a viable alternative to the commercial boxes like Cisco ASA/PIX, Checkpoint etc. They all allow quite fine grained per user/group VPN user control, and that is sorely missing in pfsense and the other open source solutions I evaluated.
August 11th, 2008 at 6:59 pm
The L2TP over IPSec feature will be #1 on my wishlist
As a OSX user it would be really nice to switch to l2tp/ipsec from pptp.
Best regards.
December 11th, 2008 at 11:20 am
This looks very promising!!! Has there been any progress made on this since this article has been posted?
February 3rd, 2009 at 9:55 am
Cool! The new featres will be documented with example configurations?
Best regards.
February 3rd, 2009 at 10:25 am
FBI01: Yes, eventually.