VPN from Firewalla Gold to a L2TP or IKEv2 Firebox
I need to set up a vpn connection from my Firewalla Gold to a Firebox that has L2TP and IKEv2. Does Firewalla Gold have that ability? I know there are settings for OpenVPN but that is not supported in the configuration of the Firebox.
-
The L2TP is what I am most interested in. I have a Ubuntu Server I installed StrongSwan on for my own personal VPN. It allows iPhone's to connect VPN without having to install OpenVPN. I know OpenVPN is really easy to configure but I wanted something that didn't rely on another application.
My company and I split the purchase of the Firewalla Gold so I could test it out. They are interested in purchasing at least 2 more to replace a couple of Fireboxes in two offices, but both have to be able to tunnel into the main Firebox at the main office. They would be creating a site-to-site connection. I looked and it seems that the Gold has about 1/2 the packages StrongSwan needs and the rest are available (according to apt-cache) to install.
Would creating the tunnel via L2TP be do-able on the Gold?
-
Ok, made some adjustments. Take a look at https://github.com/jameswillhoite/Firewalla-Scripts/tree/main/StrongSwan. This has instructions on what to do. Just make sure to read through the entire readme file before starting.... Let me know if it doesn't make sense or if you have any questions. I wrote this a year ago and haven't touched it since. It just works .....
My main reason for this was because my work had a WatchGuard Firewall that uses IKEv2 to create Gateways between branches. I wanted to set up my network with my work because I work remotely and help troubleshoot other computers on the network. Only thing with this set up is my entire network is connected with work, not just the devices I want to allow to access it (I could add iptables rules but haven't). It is also a split tunnel so ONLY the traffic destined for my work network goes through the VPN and all other is through my network.
There are two folders in the config directory to help set up a full tunnel and a split tunnel (the Firewalla hosts). I have some links in the Readme that will help with some setup with the configuration on Windows, Mac, iPhone, Android.
Hope this helps (and maybe Firewalla will incorporate into the UI ;-) )
-
It has not been added .... and more than likely not be included. I did run the IKEv2 for over a year.. I just recently set up a VM Computer at work strictly with WireGuard. While the IKEv2 was able to successful connect for aver a year.... I had times I had to SSH into my box and restart the connection. IKEv2 needs to re-key from time to time, when this happens my SIP would drop and my phone call would be disconnected. I would also have my RDP drop and reconnect. While it worked, and for those that want to "supervise" their Childs iPhone... it will work. But it requires maintenance via ssh to keep it going and setup.
The speed of the WireGuard is also better as there is not as much overhead....
-
In your README.md you say
**FireWalla will always block connections coming in, but there is no FireWalla UI to view with this setup. FireWalla will not show network flows on this VPN connection, in fact, all of FireWalla's UI will not show this network up.**
If the UI doesn't show network flows how can you tell if the blocking rules are working and what is being blocked? I am proficient in linux admin using SSH.
-
The connection is all in the background. The UI will not see the flows as they tag the packets for different views. I did my testing by just trying to access different things. I didn't need anything elaborate, just needed a way to connect site-to-site from my work network to a Watchguard Firebox at work. I extended that on to site-to-site from my home to my parents house. All "rules" were created by adding entries to the iptables when the script ran to install StrongSwan.
I have since abandoned IKEv2 in favor of a simpler setup with WireGuard. The connection is more stable. My Company uses Zulty's phone system, I have multiple Access Points in my home, if I moved from one AP to another while on the Phone, it would drop the call. With WireGuard, it does not. IKEv2 has to "rekey" every so often, and when it does that, sometimes you notice a drop.
The script it there for those that want to use it, but it all has to be managed via ssh. Test blocking rules yourself. I did so by pinging from work computer to my home network and the rules applied (just had to manage outside of the UI)
Please sign in to leave a comment.
Comments
15 comments