Advice with pfSense roadmap (ASA replacement)

[Krazypoloc]

Hey guys - trying to get my ducks in a row for replacing a Cisco 5510 and a Barracuda Link Balancer with a virtual pfSense appliance. This is partially due to eliminating support contract costs (nearly $3k annually between both appliance) and partially to utilize the redundancy and fault tolerance that our virtual environment can provide. I'm also implementing a colo site for replication/DR this year so doing a tunnel from site to site would make it a lot easier with like for like virtual appliance firewalls.

Now....for the point that I need help/suggestions on. The VPN aspect. We are currently doing Cisco VPN with Radius auth on the back end, this is seamless to setup from an end user perspective as they just hit a URL, download/install the ANyConnect client, and log in with their credentials. Is there a comparable alternative in pfSense? I'm leaning toward IPsec but it still doesn't seem as seamless as what we currently have in the ASA.

Update: I forgot to mention this is about 50-60 Macs and 20-30 PC's.

 

[RocketTech]

IPsec is included with all versions of Windows since at least XP, so no download is necessary. You may want an illustrated help guide for Users setting up the IPsec connection. If computers are domain connected, you should be able to push out a script creating the interface for them.

 

[Krazypoloc]

Forgot to mention what type of machines will be connecting. Updated OP.

 

[Brak710]

OpenVPN really complements pfSense. If you have an AES-NI CPUs in your VM hosts, you're going to see huge performance gains with pfSense 2.1 and OpenVPN.

IPSec is very seamless with Windows, but OpenVPN will work on anything and can be configred to be just as seemless once the install is done.

pfSense even builds installer files right on the unit that is custom built for that user/group to use. Just download, install, and click connect.

 

[dave99]

I avoid ipsec now in favor of openvpn if I can (although I use it mainly for site to site rather than mobile user). Never have the weird timing/reconnect issues that can come up if an endpoint reboots or internet drops for a moment at a bad time. But for mobile people, the client is easy to use and just works too.

 

[RocketTech]

I like IPsec for site-site VPN; it's been more reliable in my experience. I would also recommend OpenVPN for OP's scenario. pfSense 2.x can create the client for each user, just e-mail to user and ipso facto pterodactyl you're done.

 

[Krazypoloc]

Does the config export work for Mac client configurations as well?

 

[RocketTech]

Yes, the config export is platform agnostic. pfSense 2.x CAN supply an executable that installs and configures automatically, but afaik that is Windows only.

Some info here (scroll down) and here- talking about downloadable configured package for Mac OS.

 

[athlon1.2]

If you use the Viscosity OpenVPN client (IMO best OpenVPN client for mac or windows) then yes you can export the config file and you simply double-click it on the mac and viscosity will import it.