NAT at boths ends?

pmb1010

The online wiki tutorial example shows dynamic IP for one side, using Mobile Client to fix the dynamic side.
Does that apply to both sides of a IPSec link?

Network 1 (at work)
Cable Modem with a few provider static IPs
Cable modem Physical IP 24.1.1.1
Static IPs

1. 24.1.1.2
2. 24.1.1.3
3. 24.1.1.4

These static IPs NAT to 1:1 internal IP’s at my FW/Router
FW Router internal address is my GW is 10.1.1.1 / 24
24.1.1.2  <  –- >  10.1.1.2 GW 10.1.1.1
24.1.1.3  <  --- >  10.1.1.3  GW 10.1.1.1
24.1.1.4  < ---  >  10.1.1.4 GW 10.1.1.1

I have a PFSense system with Wan IP address of 10.1.1.4 and
LAN IP address of 192.168.0.1/24

Network 2 (at my home)
I have Cable Modem with cable Company DHCP (24.6.6.1)
LAN is defined as 192.168.1.x / 24
Using DYNDNS, I have DNS name MYHOME.ATHOME.ORG
Which resolves to the my PFSense WAN IP of 24.6.6.1

What I’d like to do is create IPSec tunnel between my 192.168.0.x network and the 192.168.1.x networks.

My confusion is what addresses to place in the PF Sense IPSec configuration to establish the tunnel. I have NAT at both ends.
Is this even possible?

DWAyotte

I beleive this is exactly the situation this tutorial was made for. (Assuming I understood correctly)

http://www.pfsense.org/mirror.php?section=tutorials/mobile_ipsec/

Assuming 'at work' the ISP is forwarding ALL traffic, you should be fine.

pmb1010

I followed the tutorial to a T - and could not get it to work.
Gave up on that one.

So I switched PFSense to my other ISP (non-NAT address) and tried to use mobile config at the "work" end.
Configured the tunnel end at my "home", and even though the tunnel would setup (at the hone end) green icon and all,
I could not ping a known host at the work end. The work PFsense knew nothing about a tunnel in it's IPSec monitor pages. (SPD, etc) when I came into work and looked at the status and logs.

Only when I reconfigured the "work end" to not use mobile, and entered in the IPSec parameters for the "home" end did it begin to flow traffic.
(I'm using DynDNS)
EDIT- traffic only flows from work to home.
When I came home, even though the tunnel is still "up" I can't ping into work.
Very strange. There are posts about only 1 way ping here, I'll read those and look for a solution.
Also, OpenVPN wont ping either. It establishes the connection, I get pushed the IP from the pool, but I cant ping from home. It's like the other end doesn't exist.

My goal is to use PFsense as the IPSec gateway for remote users. This isn't a solution, but its something.
I've created an OpenVPN client certificate etc pased in the work end, copied the files to a USB stick and will try that later from home.

EDIT2 - I did finally get OpenVPN client to work. Not sure exactly what I did but its working now.

And - I did get a Full tunnel between my home PFsense and work's PF sense.
Upgrading to the latest build (work had early October build), home is Alix Flash about Mid Nov)
and deleting & recreating both ends helped.

My next question - is there a way to have OpenVPN configured as Name & Password (I see that Radius can be made to work in other posts here… ) thats OK, but creating and distributing the certificates is a PITA.
I'm trying to emulate Checkpoints SecureRemote... I give the users software, a name & PW and it connects.  Can OpenVPN be made to be "no certificates"? (Shrewsoft maybe?)