PfSense

Материал из Webko Wiki
Версия от 10:20, 19 января 2021; Sol (обсуждение | вклад) (Новая страница: «Категория:ClusterКатегория:HardwareКатегория:BSD == IPsec duble 2 phase (split connections)== (IKEv2 Only) When an IKEv2…»)
(разн.) ← Предыдущая | Текущая версия (разн.) | Следующая → (разн.)
Перейти к навигации Перейти к поиску


IPsec duble 2 phase (split connections)

(IKEv2 Only) When an IKEv2 tunnel has multiple Phase 2 definitions, by default the settings are collapsed in the IPsec configuration such that all P2 combinations are held in a single child SA.

Split Connections changes this behavior to be more like IKEv1 where each P2 is its configured by the daemon as own separate child SA.

Certain scenarios require this behavior, such as:

  • The remote peer does not properly handle multiple addresses in single traffic selectors. This is especially common in Cisco equipment.
  • Each child SA must have unique traffic selector or proposal settings. This could be due to the peer only allowing specific combinations of local/remote subnet pairs or different encryption options for each child SA.


split connections


Setting Up OpenVPN on PFSense 2.4.

Creating the Certificate Infrastructure needed for PFSense and OpenVPN

OpenVPN uses certificates to secure the VPN service for authentication and encryption purposes. The first thing we need to do on PFSense is create a Certificate Authority. If you already have one configured you can skip this step.

Creating a Certificate Authority on PFSense

The first step in the process is to navigate to the built-in PFSense Certificate Manager

Certificate Manager

You will then be presented with a dashboard detailing the list of CA’s installed on the server. In the example below there isn’t one so click on +Add to create a new one.

PFSense OpenVPN02.png

Next we need to fill out the form which PFSense will use to create the Certificate Authority. Since we are building an Internal Certificate Authority, select this option from the drop-down list as highlighted in the image below and then fill out the necessary details about your organization in the fields provided. Remember to give you CA a useful common name which you can use to identify it. In my example I used PFSense_RootCA. Once done, click on Save and your Internal Certificate Authority will be created.

routing between IPsec and openVPN tunnels