Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up a site-to-site IPSec tunnel with a Vendor who needs to reach us via a public IP other than the WAN address

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 827 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Moses_Kabungo
      last edited by

      Hi, this is my first time here, and also relatively new to Netgate products.

      [Requirements & Scenario]:
      I have deployed a pfSense firewall on AWS VPC with a public and private subnet.
      I've assigned an Elastic IP/Static IP on a WAN interface and the LAN interface is connected to the private subnet acting as it's default GW.

      I need to setup an IPsec tunnel to secure between a server sitting in a private subnet with our Vendor, but our vendor needs to reach this device via a public IP.
      I've tried to add a secondary IP static to the WAN interface and create a virtual IP on pfSense.

      Now the WAN has two public IPs:

      • 13.x.x.175 This is the default GW
      • 13.x.x.115 This is the secondary IP/ Virtual IP.

      [Problem]
      Phase 1 of the tunnel is successful,
      Phase 2 fails with the following message:

      IKE_SA con2[53] established between 10.100.8.35[10.100.8.35]...41.222.182.6[41.222.182.6]

received TS_UNACCEPTABLE notify, no CHILD_SA built

failed to establish CHILD_SA, keeping IKE_SA

establishing connection 'con2' failed

      I will appreciate any ideas on how to setup/resolve this issue.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Moses_Kabungo
        last edited by

        @Moses_Kabungo said in Setting up a site-to-site IPSec tunnel with a Vendor who needs to reach us via a public IP other than the WAN address:

        IKE_SA con2[53] established between 10.100.8.35[10.100.8.35]...

        So I guess, this is the real interface IP which is sent to the remote site as identifier.
        You can state a custom identifier in the phase 1.

        M 1 Reply Last reply Reply Quote 0
        • M
          Moses_Kabungo @viragomann
          last edited by Moses_Kabungo

          @viragomann I appreciate your suggestion,

          I've tried to set the custom identifier as you said (Screenshot below), but the logs still indicates

          IKE_SA con2[89] established between 10.100.8.35[13.X.X.175]...41.Y.Y.6[41.Y.Y.6]

          received TS_UNACCEPTABLE notify, no CHILD_SA built

          failed to establish CHILD_SA, keeping IKE_SA

          establishing connection 'con2' failed

          Here is the screenshot:

          25389cdb-5db1-4401-89c2-8b26b01e1a50-image.png

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @Moses_Kabungo
            last edited by

            @Moses_Kabungo said in Setting up a site-to-site IPSec tunnel with a Vendor who needs to reach us via a public IP other than the WAN address:

            no CHILD_SA built

            From this error message, I"d assume that there is something wrong with the phase 2 configuration. But I don't know, what you're set there.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.