Pfsense multiwan and ipsec tunnels
-
Hi forum
I have a problem with pfsense version 1.2 on a PCengines ALIX-Board.
I d'like to replace a m0n0wall based firewall with a pfsense powered one because of the multiwan support.Now I've set up 3 IPSec-Tunnels over the WAN interface and another 3 over the second WAN interface (opt1).
WAN: PPPoE, xDSL, public fix IP, 3 IPSec Tunnels
WAN2: Cable DSL, public fix IP, 3 IPSec Tunnels
LAN: 172.16.0.1/24The problem is, that the 3 tunnels over the wan port work perfectly and the other 3 on the wan2 port don't.
At all other tunnels end are m0n0wall based firewalls.
It seems that the first phase (SAD) is coming up, but I can't access the other side of the tunnel.
The tunnels seted up on the first wan interface work without any problems.Isn't it possible to run IPSec-Tunnels on a second WAN port?
Thanks for any help
Psunix
-
Did you create a static route for your IPSEC tunnel?
@http://forum.pfsense.org/index.php/topic:General Stuff:
If you want to make use of WANx for a service on pfSense:
@Hoba:You need a static route to the <remote-tunnel-endpoint-ip>/32 via <gateway-of-wan2>. All services running at the pfSense directly (like ipsec, a proxy, dnsforwarder,…) only follow the routingtable definitions.</gateway-of-wan2></remote-tunnel-endpoint-ip>
-
Wow, thanks for your fast answer.
No, I didn't setup a static route.
I test this an I will report back here. -
Hi
It worked.
Thank you very much for your help.
psunix
-
Hi,
I've got the same problem with 1 IPSec on WAN and 1 IPSec on WAN2. The first work perfectly but the second don't. I use PfSense 1.2-release.
Did you put any specific firewall rules (on LAN or WAN2) for do this ?
I put a static route : <wan2>- <remote 32="" gateway="">via <the gateway="" of="" my="" wan2="">but it doesn't work… :-[
I can't see anything in the IPSec log for the second tunnel on WAN2...Thanks
Simon</the></remote></wan2> -
I set the route up like this:
IF=LAN, Network=remoteIPsecEndpoint/32, gateway=GatewayofWAN2 -
Yes i did that, but it's still doesn't work…
I can't see anything of my IPSecOnWan2 on the IPSec logs...
Do you think the problem is in the firewall rules ?Thank you for your response. :)
Simon
There is my conf :
IPSec Tunnel
Interface : OPT1
Remote GW : 80.x.x.xFirewall rules on LAN
Lan net -> default GWStatic routes
OPT1 - 80.x.x.x/32 - OPT1 GW -
Try using LAN as the interface for the static route.
-
Try using LAN as the interface for the static route.
i did. still doesn't work… :(
There is my racoon.conf file :
$ cat /var/etc/racoon.conf
path pre_shared_key "/var/etc/psk.txt";path certificate "/var/etc";
There shouldn't have something here?
-
That's the entire file??
The lines themselves look fine, but you should have the tunnel config following that.
Something like:
remote 1.2.3.4 {
exchange_mode aggressive;
my_identifier address "5.6.7.8";peers_identifier address 1.2.3.4;
etc, etc…. -
That's the entire file??
The lines themselves look fine, but you should have the tunnel config following that.
Something like:
remote 1.2.3.4 {
exchange_mode aggressive;
my_identifier address "5.6.7.8";peers_identifier address 1.2.3.4;
etc, etc….Yes that's the entire file…
i don't know why but if i choose the WAN interface for a tunnel, then i've got a correct racoon.conf file (with "remote 1.2.3.4 {" things) and my tunnels work fine.
If i choose the OPT interface for my tunnel, nothing change in the racoon.conf file... i just can see the remote address ("1.2.3.4") in the psk.txt file...Is there a log file that i could check ?
Thanks for help :)
-
I'm out of ideas at this point. Why don't you post the <ipsec>section of your config?</ipsec>
-
I'm out of ideas at this point. Why don't you post the <ipsec>section of your config?</ipsec>
Because i have lot of IPSec config, i'm sure about this part and i checked it 100 times…
I'm trying to know why the conf file doesn't update.