Slides for the February 2014 pfSense Hangout video

1. VPN Overview and dive
into IPsec
February 2014

2. Project News
● Development
○ 2.1.1
○ 2.2
● At SCALE this weekend
○ https://www.socallinuxexpo.org
● Next session - March 21
● Questions at the end

3. VPN options
● IPsec
● OpenVPN
● PPTP

4. VPN Comparison - PPTP
● Insecure
● Likely to be NAT-broken
● Just don’t use it!

5. VPN Comparison - OpenVPN and
IPsec
IPsec OpenVPN
NAT-friendly with NAT-T, Y Y
Widely interoperable with
other firewalls
Y N
Client for Windows Shrew Soft, others OpenVPN
Client for Android Built into most Android 4.x
versions
Two options available in
Google Play
Client for iOS Built into iOS 3.x and newer Available in App Store
Client for OS X Built-in Tunnelblick (free) and
Viscosity (commercial)
available

6. VPN Selection - Site to Site
● Interoperability with third party devices -
IPsec
● One endpoint behind NAT - OpenVPN
● NAT within VPN, both, but OpenVPN most
flexible

7. VPN Selection - Mobile Users
● OpenVPN usually easier to configure
● Depends on devices supported and personal
preferences

8. IPsec Intro - Modes
● Tunnel
● Transport
http://diecarvi.wordpress.com/2013/07/04/ipsec-tunnel-and-transport-modes-why-doesnt-transport-mode-work-between-routers/

9. IPsec and IPv6
● IPv6 inside IPv6 tunnels
● IPv4 inside IPv4 tunnels
● Mobile clients IPv4-only

10. IPsec Example Site to Site VPN

11. IPsec Troubleshooting
● Check Status>IPsec
● Check firewall states
● Deciphering IPsec logs
● Enabling debug logging
● MSS clamping requirements
○ Hanging TCP connections

12. IPsec Troubleshooting - Packet Capture
Six points for tracing traffic

13. Thanks for attending!
Questions?
Next session - March 21
Comments, suggestions, feedback welcome to
gold@pfsense.org