Setting up a site-to-site IPSec tunnel with a Vendor who needs to reach us via a public IP other than the WAN address
-
Hi, this is my first time here, and also relatively new to Netgate products.
[Requirements & Scenario]:
I have deployed a pfSense firewall on AWS VPC with a public and private subnet.
I've assigned an Elastic IP/Static IP on a WAN interface and the LAN interface is connected to the private subnet acting as it's default GW.I need to setup an IPsec tunnel to secure between a server sitting in a private subnet with our Vendor, but our vendor needs to reach this device via a public IP.
I've tried to add a secondary IP static to the WAN interface and create a virtual IP on pfSense.Now the WAN has two public IPs:
- 13.x.x.175 This is the default GW
- 13.x.x.115 This is the secondary IP/ Virtual IP.
[Problem]
Phase 1 of the tunnel is successful,
Phase 2 fails with the following message:IKE_SA con2[53] established between 10.100.8.35[10.100.8.35]...41.222.182.6[41.222.182.6] received TS_UNACCEPTABLE notify, no CHILD_SA built failed to establish CHILD_SA, keeping IKE_SA establishing connection 'con2' failed
I will appreciate any ideas on how to setup/resolve this issue.
-
@Moses_Kabungo said in Setting up a site-to-site IPSec tunnel with a Vendor who needs to reach us via a public IP other than the WAN address:
IKE_SA con2[53] established between 10.100.8.35[10.100.8.35]...
So I guess, this is the real interface IP which is sent to the remote site as identifier.
You can state a custom identifier in the phase 1. -
@viragomann I appreciate your suggestion,
I've tried to set the custom identifier as you said (Screenshot below), but the logs still indicates
IKE_SA con2[89] established between 10.100.8.35[13.X.X.175]...41.Y.Y.6[41.Y.Y.6]
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'con2' failed
Here is the screenshot:
-
@Moses_Kabungo said in Setting up a site-to-site IPSec tunnel with a Vendor who needs to reach us via a public IP other than the WAN address:
no CHILD_SA built
From this error message, I"d assume that there is something wrong with the phase 2 configuration. But I don't know, what you're set there.