I have used pfSense just over a decade and for that time at different companies I have advocated for the TAC support from Netgate. They didn’t always have the answers right away but they always tried hard. I voiced my appreciation in other posts on Reddit to provide gratitude and to allow other community members to see a positive experience. There were many posts concluding that Netgate was going to leave there open source community in the wind specifically surrounding the 2.7 delay and close sourcing some of the code. I did not agree with those conclusions and thought Netgate had too much Work in Progress and mismanaged the release which is why it took way longer than expected.
Problem:
Yesterday, I ran into a problem I can’t solve. Remote users from my parent company are coming onsit for the first time after the acquisition and they are unable to use their checkpoint user VPN behind the pfSense firewall in the office. I convinced the president of the company that spending the 799 dollars for enterprise TAC support would be worth it to help solve this issue. After about 3 hours on the phone with Netgate TAC and some email correspondence they are deflecting the problem and saying that upgrading to the Plus edition is the only way forward. Unfortunately, maintenance windows are hard to come by, so upgrading to Plus is not an option at this time. Also, forcing Plus after the lengthy 2.7 release kinda pisses me off. Now I have to tell the president of the company that I was wrong and I wasted 799 dollars of the companies money. Our budget is very tight and I’m basically screwed.
I hope the community can see my point of view and help me out. Please don’t tell me tough luck at least your not paying Cisco prices, or move to OPNsense. I still like pfSense and honestly just want our parent companies users to be able to use their VPN while visiting our office.
I have no experience with Checkpoint, but I can tell already that it sucks.
I took a packet capture on the client interface:
The client sends a TCP syn packet out 443 but there is never ACK
169ms later another syn is sent and also never a corresponding ack
the client sends a ISAKMP packet with a dst port of 4500 and the server replies with `Length: (bogus, length is 2232590509, which is too large)`
after that the client sends 8 retransmits for steps 1 and 2
then another syn
then 4 more ISAKMP packets with the last one stating `Notify Message Type: NO-PROPOSAL-CHOSEN (14)`
Then more syn retransmits
I verified and the firewall is not blocking the traffic to the remote Checkpoint VPN server. We have tested the Checkpoint VPN while the laptop was tethered to a cell and it worked.
Unfortunately, I have no control over the parent companies’ VPN solution. I’ve been on this side of an acquisition multiple times, and generally at this point, we would be removing the pfSense and they’d be putting in their own, and we’d be migrating to their solution. I’m glad that’s not happening (yet), but they might get a poor first impression of our network since their VPN doesn’t work.
I would run a packet capture (wireshark) on the client while tethered and see if its doing something special/specific on the connection. Compare that to a packet capture from pfsense while on the network.
And i would also consider asking HQ to allow a specific IPsec tunnel for these users so they can skip their vpn.
I can understand. I like pfSense, so I hope someone can come along shortly and be able to help.
We are on the CE version and I thought about submitting a purchase request for TAC support, if nothing else, but to acknowledge their software. But now not sure…
The requirement for TAC has been to be on Plus since January. You can always get a Lite license today, upgrade, and then upgrade it to Pro or Enterprise later if you want.
They keep saying, though, that the best way to support the project is to buy the hardware.
I’m a little confused by your comment. Are you saying you can put the Plus license on the CE version without rebooting and be in compliance with their new rule?
As for purchasing their hardware, I’ve looked at their offerings, but they dont meet our requirements. I’ve been purchasing Supermicro SYS-1019D-FRN8TP with 64Gb of mem and either an Intel or Chelsio 10Gb 4 port SFP+ PCIe card.
nope. I’m saying that u/urbnsr could use a TAC Lite license to get up to Plus and then later add TAC Pro or TAC Enterprise when needed or wanting to give financial support.