IPSEC on OPT1/WAN2?
-
Hello all,
I'm strugging to get IPSEC to work over OPT1/WAN2. I've got all of my subnets configured to use the default GW (*) from the LAN Net and this works when the tunnel interface is set to WAN, but if I change the interface in the IPSEC policy, it won't work. I get the SPD but no SAD associations.
My WAN interfaces are both set to static as I have small routers sitting in front of them. (Handling the PPPoE on WAN and DHCP on OPT1/WAN2 then providing static networks behind and connecting via DMZ to the pfSense 1.2Release)
Assuming my firewall rules are good ( * LAN net * 204.xxx.xxx.xxx/24 * * … etc) should I have to do anything beyond toggle IPSEC off then change the IPSEC associated interface? (under the IPSEC edit tunnel screen)
Mesa confused!
-- Phob
-
http://forum.pfsense.org/index.php?action=search
keywords: "IPSEC" "WAN2"
-
Hello,
I actually did search before asking the question - I didn't really follow the solution as according to my IPSEC log the connection (tunnel) isn't coming up. I didn't really think it was a routing issue for my outbound packets.
Maybe I mis-understood? If so, could you clarify?
Thanks,
– Phob
-
Ahh - I think I found what you were trying to lead me to, though it might have been quicker to just tell me that I need to have a static route to the remote IPSEC gateway using WAN2's gateway…
Anyway, thanks for the carrot - I was only searching within the IPSEC forum, and not the whole site so I missed the post in the other forum with this info.
Again (in case somebody else searches for this (in this forum)) - in order to get IPSEC to work over OPT1 / WAN2 you need to create a new static route to the remote site's gateway address (the remote IPSEC tunnel end-point) using the gateway for your local OPT1 / WAN2.
-- Phob
-
Do you apply the static route to your WAN interface or WAN2 interface?
So it would be like this
Interface Network Gateway
WAN2 Remote End IPSEC WAN IP/32 WAN2 Gateway IPor
Interface Network Gateway
WAN Remote End IPSEC WAN IP/32 WAN2 Gateway IP -
This was completely wrong… (deleted)
-
Actually, my IpSec tunnels on WAN2 are working with a route like this:
@Wasca:Interface Network Gateway
WAN2 Remote End IPSEC WAN IP/32 WAN2 Gateway IPThe LAN one doesn't make sense to me, as the problem is the box trying to establish the tunnel from the WAN, not OPT1/WAN2. The remote LAN should not be a factor until after the tunnel is established.
-
Yeah - but that doesn't help you to route packets over your IPSEC tunnel via the WAN2 interface from LAN. That is what this static route is for.
– Phob
-
Don't use gateways for IPSEC-Traffic. This will redirect the traffic directly to the upstream gateway and won't send it into the tunnel. Use gateway default for these rules.
-
This was the only way I could get anything to work over my IPSEC tunnel on WAN2 - is there another way?
-
… or is the route needed for WAN2 and not LAN? I'm not at the location with this setup right now - I will be later tonight and I'll take a look.
-- Phob
-
Sorry, but that doesn't make any sense. That definately won't work this way. It's simply wrong.
You need the static route at the wan2 interface for the remote endpoint/32 through ewan2 gateway. Besides that all firewallrules have to use the default gateway so traffic can make it into the tunnel.
-
@hoba: Something that always confused me a bit about the static routes:
Is the "Interface" (first thingy in the static route)
the interface on which traffic goes out,
or the interface to which the route applies to on incomming traffic? -
it's the interface that the gateway for the remote subnet is located behind.
-
Right - OK. So the static route is :
WAN2 (Remote IPSEC Gateway/Public IP) WAN2 GW
Correct?
I was just confused as I'm working in a different location without this setup right now and I got turned around in my brain. :)
– Phob
-
Correct, besides that it is: WAN2, <remote ipsec="" endpoint="" ip="">/32,<wan2-gateway-ip></wan2-gateway-ip></remote>
-
LOL - OK, total brainfart as that is how it is setup at the my other location. Oops … like I said at the beginning, mesa confused! :)
Thanks as usual guys.
-- Phob