IPSec Road Warrior with NAT-T Question

FooFighter

Thank you for the info.

I'm thinking of setting up a virtual network with two subnets via vmware to have an easier access to both ends of the vpn so I hopefully can better debug my problems :)

Regards,

Foo

FooFighter

Update:

Got this up an running with PFSENSE 1.2.3 RC2 - family/friends fully connected  ;D
Main problem was my misunderstanding of the setting "Server Identifier: IP Address"
I had set my DynDNS domain name in pfSense but the client settings were set to expected an IP Address.

Finally the Shrewsoft trace util (debug) pointed me to the right direction
–-

PFUser

I am sorry for this question but:  ???
What data did you enter in the "Server Identifier: IP Address" field.
I have tried

1. I have used the data under “Client Configuration” > “General Tab:” > “Host: <pfsense box="" wan="" ip="">”
   In my case in was 24.X.X.X

2. I have used the data under “Client Configuration” > “General Tab:” > “Address: (pick some other random range you are not using, like 192.168.111.xx)”
   In my case in was 172.21.30.253

3. I have used the data under “Client Configuration” > “Policy:” > “Address: (Network behind pfSense you want to access, e.g. 192.168.1.0)”
   In my case in was 172.21.30.0

4. The IP on the computer that I have the client IPSec software on.
   In my case in was 192.168.168.103

5. The Public IP of the Linksys WRT54G that my computer with the client IPSec sites behind.
   In my case in was 68.X.X.X

But none of there seems to work.</pfsense>

jimp

@PFUser:

I am sorry for this question but:  ???
What data did you enter in the "Server Identifier: IP Address" field.

On the Shrew Soft client?

Remote Identity:
  Type: IP Address

Use Discovered remote host address

Or which setting on what software are you referring to, exactly?

Usually the server identifier is left blank on pfSense unless you know better.

PFUser

I am following this.
http://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

On the PFSense config side.

SNIP**************
Fill in the settings as follows:

Phase 1 Proposal (authentication):
Negotiation Mode      : Aggressive
Server Identifier    : IP Address
Encryption Algorithm  : 3DES
Hash Algorithm        : SHA1
DH Key Group          : 2
Lifetime              : 86400
Authentication Method : Pre-Shared Key
SNIP************

jimp

I believe that should really be set to "My IP Address" in the drop-down box.

I updated the howto.

PFUser

Thank you for your response.

I have two other questions but it depends on the answer to this one.
In this part of the tutorial,

Under “Client Configuration” > “General Tab:” > “Address: (pick some other random range you are not using, like 192.168.111.xx)”

1. Is the “range” that you are referring to an unused IP that in not being used on your LAN side of your pfSense firewall.
2. Or is it a New subnet that is not in LAN subnet like 10.10.10.2 if you have a setup like below.

Example

---

192.168.1.1 LAN < pfSense > WAN 69.59.43.3

---

jimp

It is a new subnet that does not exist on any other interface to which pfSense can directly connect.

PFUser

Thank you once again.
And rebooting my client PC everything started to work.
The following is just for informational use only:

I made up a new IPSec VPN pool is IP subnet 10.10.10.0/24 that was not on my any interface on my pfSense firewall.

In the tutorial under the “Client Configuration” > “General Tab:” > “Address:” and “Netmask:”
I added this on my Shrew Soft client:
Address: 10.10.10.2
Netmask: 255.255.255.0

On the pfSense firewall I added a new rule.
Action: Pass
Interface: IPSEC
Protocol: Any
Source:
        Type: Network
        Address: 10.10.10.0/24
Destination: LAN subnet

Now I am able to see the whole network.
This is my first IPSec VPN. That is why I am being so detailed about everything.
Thanks for all your help.

XZed

well, i arrived on this post after so much discussion but if i well understood :

since pfSense 1.2.3, it's (finally) possible to use ipsec vpn clients (shrew-like) to connect to pfsense from anywhere (anywhere = any network with nat….does it mean all  ;D ?) ?

a little feedback from experimented users :

why do you prefer ipsec to openvpn for mobile clients ? (well, i don't want to open a debate  ;D)

Sincerely,

jimp

@XZed:

why do you prefer ipsec to openvpn for mobile clients ? (well, i don't want to open a debate  ;D)

You may want to start a new thread for that question, it won't be seen by as many people when it is buried deep in a thread like this.

XZed

@jimp:

You may want to start a new thread for that question, it won't be seen by as many people when it is buried deep in a thread like this.

u're right  ;D

thanks for the advice  ;)