Looking for help on installation. Will make a guide afterwards.

Ilikethisdevice

I am looking for directions on the setup of this scenario. Once I get it all down I want to put together a guide to help everyone out. There are a lot of pieces out there for instructions but not one that covers a scenario in my opinion.

All network information represent examples and are not real. However, the network settings are intentionally this way so the installation is not as vanilla. Neither PFsense device is the gateway for the WAN network

If you can let me know what I missed or did wrong then thank you in advance.

Here we go:

Main Site:

WAN Network: 172.32.128.232/29
WAN Gateway: 172.32.128.238
LAN Network: 192.168.1.0/24
LAN Gateway: 192.168.1.1
PFsense WAN address: 172.32.128.236
PFsense LAN address: 192.168.1.1
MainDC1 (AD/DNS) address: 192.168.1.11

Colo:

WAN Network: 100.192.224.240/28
WAN Gateway: 100.192.224.241
LAN Network: 192.168.2.0/24
LAN Gateway: 192.168.2.1
PFsense WAN address: 100.192.224.248
PFsense LAN address: 192.168.2.1
ColoDC1 (AD/DNS) address: 192.168.2.11
ColoDC2 (AD/DNS) address: 192.168.2.12
ColoSrv1 (IIS/File services) address: 192.168.2.21  Note:IIS is only for internal access

Requirement 1 - Need to establish an IPSEC tunnel from the remote site to the colo site
Requirement 2 - Need to make sure that resources (AD/File Server/IIS) in the colo are accessible from the main site and vice versa

Firewall rules - <need additional="" help="" here="">Main Site

IPSEC all open
WAN UDP 500 all open
WAN ESP all open
LAN (Lan Subnet > *) Open

Colo Site

IPSEC all open
WAN UDP 500 all open
WAN ESP all open
LAN (Lan Subnet > *) Open

Static Routes - <need help="" here="">Main Site Device

Colo Site Device

IPSEC Info

Main Site

Mode: Tunnel
Interface: WAN
Local subnet Type: LAN subnet
Remote subnet: 192.168.2.0/24
Remote gateway: 100.192.224.248
Description:  To Colo

Phase 1 proposal (Authentication)
Negotiation mode: aggressive
My identifier: My IP address 
Encryption algorithm: Blowfish
Hash algorithm:SHA1
DH key group: 2
Lifetime: 28800 seconds
Authentication method: Pre-shared key
Pre-Shared Key: examplekey

Phase 2 proposal (SA/Key Exchange)
Protocol: ESP 
Encryption algorithms: Blowfish, Rijndael (AES)
Hash algorithms: SHA1,MD5
PFS key group: 2
Lifetime  seconds: 86400 seconds

Colo Site

Mode: Tunnel
Interface: WAN
Local subnet Type: LAN subnet
Remote subnet: 192.168.1.0/24
Remote gateway: 172.32.128.236
Description:  To Main Site

Phase 1 proposal (Authentication)
Negotiation mode: aggressive
My identifier: My IP address 
Encryption algorithm: Blowfish
Hash algorithm:SHA1
DH key group: 2
Lifetime: 28800 seconds
Authentication method: Pre-shared key
Pre-Shared Key: examplekey

Phase 2 proposal (SA/Key Exchange)
Protocol: ESP 
Encryption algorithms: Blowfish, Rijndael (AES)
Hash algorithms: SHA1,MD5
PFS key group: 2
Lifetime  seconds: 86400 seconds</need></need>

XIII

So did this guide here not help?
http://doc.pfsense.org/index.php/VPN_Capability_IPsec

Ilikethisdevice

Not really. It only helps to a point. It is generalized.

This is a scenario here which is much more useful.

XIII

Well all of the IPSec setups I have done, Req. 2 worked by default, though I had the auto config of VPN rules option enabled.

What do the logs say? Under Status>System Logs>IPSec VPN

Ilikethisdevice

I am not there yet. I need help on the static routes for this scenario first.

But so far the Colo device says:

Nov 21 03:56:22 racoon: [Self]: INFO: <device wan="" address="">[500] used as isakmp port (fd=15)
Nov 21 03:56:22 racoon: [Self]: INFO: 1<device lan="" address="">[500] used as isakmp port (fd=14)
Nov 21 03:56:22 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Nov 21 03:56:22 racoon: [Self]: INFO: 192.168.5.1 (not sure where this is coming from)[500] used as isakmp port (fd=12)
Nov 21 03:56:22 racoon: INFO: unsupported PF_KEY message REGISTER

And here are the Main Site logs:

Nov 20 08:49:14 racoon: [Self]: INFO: <device wan="" address="">[500] used as isakmp port (fd=15)
Nov 20 08:49:14 racoon: [Self]: INFO: 1<device lan="" address="">[500] used as isakmp port (fd=14)
Nov 20 08:49:14 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Nov 20 08:49:14 racoon: INFO: unsupported PF_KEY message REGISTER</device></device></device></device>

XIII

Why do you want static routes? Just cause? It should route automatically via IP address (unless you access them via DNS), otherwise you go to System>Static Routes
For the entry it would be the devices DNS name and the IP of the device

Ilikethisdevice

Even when the PFsense devices are not the default gateway? It was my understanding that there had to be static routes in place when they are not.

XIII

Yes that is true.

You add it under System>Static Routes

Ilikethisdevice

What would those entries be in this scenario?

XIII

So at each location its:
1: WAN->Router(this is the WAN Network)->pfSenseWAN->pfSenseLAN

You need to add a static route at the main router that points the network at the main site for the colo to the pfSense box.

COLO
Destination Network:192.168.1.0  /24 
Gateway: 172.32.128.236
Main Site
Destination Network: 192.168.2.0  /24
Gateway: 100.192.224.248

XIII

This is covered in more depth in the book

Ilikethisdevice

Still nothing.

I added the rules on the WAN interface and I still see no activity.

XIII

this is done on the device that is the default gateway not pfSense.

If you made the change at this device then see what the IPSec logs say

Ilikethisdevice

Still no dice. Are these devices flaky when they are running virtually?

XIII

there are quite a few people running pfSense in a VM (I dont)
I would suggest doing a traceroute, and looking at the logs on all systems (default gateway, pfSense) as it sounds like the route is not being forwarded/routed to the pfSense system, but the VPN is up.