I have been getting a little bothered by Cisco lately. For starters we have been having all sorts of issues with hardware failure at one of my clients. And even though we have a HA arrangement with the ASA 5545x firewalls, the connections are dropped and the fail-over is far from seamless. I have also had quite a bit of trouble with my aging PIX 506E that serves as a simple firewall with VPN for remote management. Everything works, but i cannot access certain internal hosts over the VPN, and new NAT rules added do not work.
So This week i replaced the firewall with PFsense on commodity hardware I had decommissioned earlier this year. (http://www.supermicro.com/products/system/1U/5015/SYS-5015M-MF_.cfm)
The goal was to deploy the firewall with two interfaces and add IPSEC vpn for remote management. I had some issues but they were resolved to my satisfaction. I am posting this to help others who decide to move away from Cisco, whatever the reason.
First, download the appropriate ISO to install your firewall software on the computer of your choice.
Next burn the ISO to a dvd (i used IMGBURN: http://www.imgburn.com/)
Find a computer with two network interface cards. (or buy one of the approved devices here: http://store.netgate.com/Netgate-FW-7541-P1846C83.aspx )
boot the computer off the DVD and proceed with the installation. (i used the livecd and chose the install locally option)
During the install, choose which Network interface will be your LAN and which will be your WAN. You can also setup VLANs at this time or do that later.
The install and configuration is similar to many firewalls i have used, I didnt use any guide or walkthrough when installing and if you have installed a sonicwall, netscreen / juniper / ASA firewall you wont need much if any help. really easy and self explanatory.
I used the following post to configure VPN settings on the firewall and client software (shrewsoft: https://www.shrew.net/download/vpn)
In the end it connected right away but i was unable to get to any hosts on the far side. after turning on debugging on the firewall for ipsec and doing the trace tool from shrewsoft i was unable to find any way to get traffic to flow across the VPN. Until I looked at the firewall logs, by default, the firewall does not allow anything over the IPSEC interface. I fixed that by adding a rule to allow all traffic coming from the IPSEC interface to access the LAN subnet on all protocols. This solved the issue, and it is working well. We have tested multiple connections to this vpn and it works well.
Next I will be configuring log aggregation and load balancing. Someday I may even roll this into production environments. I really like the simplicity and the fact that you can have several features combined on one appliance, such as firewall, load balancer, traffic shaper etc.