IPSEC VPN between Juniper and PFsense

alam3

Hello:
I have established an ipsec vpn tunnel between my pfsense and a third party's juniper device.  I have followed the steps outlined in the PFsense book and reviewed the steps outlined in http://doc.pfsense.org/index.php/VPN_Capability_IPsec walk through.
The tunnel is up; however, no traffic can pass.  I have setup an IPSEC firewall rule which allows all traffic from the third party site.
The one deviation from the book/walk through is that the third party requires the Local Host on my side be set to my WAN public IP address and they do not support the use of internal IP addresses for remote subnets on their side.

I was hoping someone could shed some insight into what the problem might be.

Thank you.

cmb

You can't use the public IPs on your side because IPsec applies before NAT, it'll only match the policy for traffic initiated by the firewall itself in that case. The usual work around there, though not ideal, is to do NAT on one system and do the IPsec on another.

alam3

@CMB  Thank you for replying.  When you say do ipsec on one system and nat on another do you mean pfsense system?

cmb

Yes

alam3

@CMB  Ok.  I have created a new pfsense device strictly for vpn.  I recreated the ipsec config and pointed the local subnet to my external ip address.  I have created only one rule in the Rules\IPSEC (see below).  Is this what you were thinking?

Proto      Source      Port    Destination    Port    Gateway
TCP          *            *      192.168.1.11    *        *