Significant IPsec Improvements now in 1.3!

July 18th, 2008 by Chris Buechler

We are pleased to welcome Matthew Grooms as our newest pfSense committer. As the developer of the Shrew Soft VPN client and an ipsec-tools developer, he brings a vast knowledge of IPsec to our development team.

Matthew recently committed some great IPsec improvements to 1.3. He provided the following, outlining these changes.

Completed Work

  1. Split IPsec configuration into phase1 and phase2
  2. Allow for multiple phase2 configurations for a single phase1 – this means you no longer have to create parallel tunnels for routing multiple subnets between two sites.
  3. Enable a broader range of ID types to be specified
  4. Improve options for variable length key cyphers ( Blowfish & AES )
  5. Proper handling of address vs subnet negotiations in phase2
  6. Introduce Hybrid, Xauth and modecfg support for remote access
  7. Update Mobile access to allow for more secure policy generation
  8. Update Mobile access configuration to define modecfg-attributes
  9. Introduce initial support for user authentication
  10. NAT-Traversal (NAT-T)

Remaining To Complete

  1. Improve user management interface for mobile clients
  2. Introduce RADIUS and LDAP support for extended auth
  3. Improve IPsec SPD/SAD management to not purge active SAs on reload
  4. Improve certificate management for IPsec configurations
  5. Look into support for dyndns -> dyndns IPsec peers

More information
For those not exceptionally familiar with IPsec, the above lists may not tell you much of anything. More information on usage and what all this means will come in the future.

Eye Candy
New tunnels page
New mobile clients screen
New mobile clients phase 1 edit screen
New mobile clients phase 2 edit screen

Trying it out
This work is currently available in 1.3 snapshots. We encourage you to provide feedback on the mailing list or 1.3 board on the forum if you try it.

Kudos
Many thanks to Matthew for all his work on this! When completed, this will bring the most capable IPsec implementation of any open source firewall distribution to pfSense – by far. It will also provide a standards-compliant IPsec solution better than most commercial firewalls (what exists in 1.2 is already better than a number of them).

18 Responses to “Significant IPsec Improvements now in 1.3!”

  1. heiko Says:

    Hi, it looks great, very beautiful

  2. Kevin Says:

    Excellent! Matthew…
    Just curious if any of these recent improvements resolves the issue of allowing multiple IPSec connections to the same external host from within the LAN.
    Again thank you all for contributing to this project. Your efforts help so many people.

  3. Chris Buechler Says:

    Kevin: that’s not related to pfSense as an IPsec endpoint, which is what Matthew is working on. pfSense now supports NAT-T, which will allow multiple clients behind NAT to connect to it. Connecting to an outside IPsec device requires NAT-T to be enabled on that device, that isn’t relevant to any IPsec configuration in pfSense.

  4. Robert Says:

    Kevin, That is a problem with “real” IPSEC/ESP using protocol 50. As far as I know, no firewall supports what you ask without NAT-T or some other such encapsulation.

  5. southman Says:

    Will these changes find their way into 1.2.1

  6. Chris Buechler Says:

    No, 1.2x is bug fixes only, no new functionality.

  7. Dave Says:

    If 1.3 gets IPsec compression, too, then it will truly be the best! Any chance of that sneaking in there? FreeBSD should already support the IPcomp flag, I think.

  8. Chris Buechler Says:

    compression is something Matthew is going to look at before he’s finished. It was discussed earlier today on our dev list. Problem is it’s not necessarily compliant with other devices, but it will be looked into.

  9. Kim Says:

    Will it be possible to:
    a) Have multiple mobile users connect using standard Windows XP VPN (IPSEC)?
    b) Filter these so they can and cannot reach different destination hosts on the LAN?
    c) When will all this be available (in beta and GA)?

  10. Chris Buechler Says:

    Kim:
    a) There is no standard IPsec client in Windows XP. You can deploy the Shrew Soft client which works great.
    b) Yes, no differently than you can already filter IPsec traffic in 1.2.
    c) as always – when it’s ready. we’ll have a development road map up in the next couple months or so

  11. Ide Says:

    Will the 1.3 be supporting L2TP with this IPSEC improvement

  12. Chris Buechler Says:

    L2TP is not part of this, no, it’s a different beast entirely. It is being considered separately. It can run under mpd, this is strictly IPsec as it runs under ipsec-tools.

  13. Matthew Says:

    It is possible to restrict user access to a specific destination network based on group inclusion when Xauth is used. I am evaluating the possibility of adding support for this to pfSense. This will require a bit of work with respect to the user management system which is my current focus of development. More details regarding this should surface soon.

  14. JF Says:

    Re. the per-user restriction, that would help make pfsense a viable alternative to the commercial boxes like Cisco ASA/PIX, Checkpoint etc. They all allow quite fine grained per user/group VPN user control, and that is sorely missing in pfsense and the other open source solutions I evaluated.

  15. Pixa Says:

    The L2TP over IPSec feature will be #1 on my wishlist ;)
    As a OSX user it would be really nice to switch to l2tp/ipsec from pptp.
    Best regards.

  16. Josh Says:

    This looks very promising!!! Has there been any progress made on this since this article has been posted?

  17. FBI01 Says:

    Cool! The new featres will be documented with example configurations?
    Best regards.

  18. Chris Buechler Says:

    FBI01: Yes, eventually.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply