So, I am searching for ways to connect the headquarters and a branch store. Only headquarters has pfsense.
my question is: in order to use Ipsec is it mandatory that branch store has pfsense configured as well?
I couldn’t find this information elsewhere if I can make a site-to-site with my current situation.
site-to-site IPsec tunnel is vendor agnostic.
I have done ipsec s2s with sophs, Unifi, fortigate, Cisco, etc firewall with pfsense
Some firewalls require some different settings depending on the software on the firewall
So to answer your question, no you dont need pfsense on the other side just something that supports ipsec
The big thing is looking at the logs on both sides when it comes to troubleshooting why the ipsec tunnel isnt coming up
IPSec don’t care what the other device is. Just match the encryption, networks, etc. and it’ll work.
Generally speaking, not necessary for both ends to run pfSense. What’s at the other end?
You could theoretically have a layer 3 switch at the other end. You wouldn’t, but you could.
you can raid the old systems pile and grab an old server or a used desktop install pfsense on it and use that. Until a better solution is found or management springs for another pfSesnse box.
Sure. You can do it between every router that supports it, it’s a standard and doesn’t depend on the vendor
IPsec, WireGuard, and OpenVPN are all open standards, so your only limitation is what vendors choose to support them.
IPsec is generally accepted by everyone everywhere, and WireGuard is gaining popularity in Linux/FreeBSD based firewalls.
I’ve done site-to-site WireGuard between pfSense and MikroTik and it works just the same.
just something that supports ipsec
so on internet broadband modem for branch store I have to check if there are ipsec settings there, I see.
so the same config that pfsense has in ipsec for remote gateway and shared key I will have to set it in the modem in branch store?
because all tutorials I have found they show configuring two pfsenses and the two phases to be equal, just changing the remote gateway ip address in each case.
That’s the origin of my question in the first place.
not generally speaking—definitively speaking. IPsec is standardized.
just the internet broadband modem there.
For those downvoting, it’s entirely plausible to run a L3 switch as an IPSEC VPN tunnel endpoint.
Yes you need to check the remote router in question if it supports ipsec vpn tunnels, if it doesnt then you need to look at another option
What is the full model of the branch store router?
Have you never set up an ipsec tunnel between devices before?
not generally speaking—definitively speaking. IPsec is standardized
I agree… BUT if it’s a no name broken consumer router with half ass ipsec at the other end, I hedge my reply. And I have run intio that in here…
It sounds like you need to make sure that device is capable of ipsec tunnels and if it’s just a standard ISP provided device, it’s not likely. Put it into bridge mode and put a proper business firewall/router on it and get it configured.
Assuming the L3 switch supports it, sure.
No, first time. What I have is a fixed IP we bought from ISP company for both broadband modem which currently one is used in headquarters and the other on branch store.
Currently there is a vpn between a Dlink (IPSec) here on headquarters and on the other end in the broadband modem in branch store.
Since we dont intend to use dlink in the future that’s why we would like to use pfsense in this case.