IPSec VPN to CISCO

Genmaken

Hi,

I'm having trouble establishing a VPN connection to a customer. My network layout is as this:

CAT5e Cable from ISP router -> HP Switch

On this switch we have the proxy (smoothwall, soon to be pfsense) + draytek (customer vpn) + DMZ machine + pfsense.
Each of these uses a public address from our pool.

The pfsense machine's only purpose is for VPN, and it already has an IPSec VPN to our remote office (192.168.10.0/24). The reason I'm not using the Draytek for this is that we already have a VPN there that connects to the 10.0.0.0/8 network.

Anyway, the customer is using Cisco and I'm using pfSense 2.0.1.

The customer requires that all traffic from our network originates from the IP address 172.18.0.85.
Traffic from their network will use 10.128.1.86.

IPSec Settings:

My network: 192.168.0.0/23
Destination: 10.0.0.0/8

Phase 1: IKE + AES-256 + SHA1 + DH group 2
Phase 2: ESP + AES-256 + DH group 2

Then I've configured manual outbound NAT rules so that traffic in the IPSec interface that has 10.0.0.0/8 as destination gets a NAT address of 172.18.0.85.

After saving the settings nothing happened and there was nothing in the logs. If I try to ping an address in the destination network (10.0.0.0/8) then there's activity in the logs:

racoon: [VPN NAME]: INFO: initiate new phase 1 negotiation: MY_PUBLIC_IP[500]<=>DEST_PUBLIC_IP[500]
racoon: [VPN NAME]: INFO: IPsec-SA request for DEST_PUBLIC_IP queued due to no phase1 found.
racoon: INFO: begin Identity Protection mode.
INFO: received broken Microsoft ID: FRAGMENTATION
racoon: INFO: received Vendor ID: CISCO-UNITY
(...)
racoon: [VPN NAME]: INFO: ISAKMP-SA established MY_PUBLIC_IP[500]-DEST_PUBLIC_IP[500] spi:55560e165ede1ebc:6bffad1deb758561
racoon: [VPN NAME]: INFO: initiate new phase 2 negotiation: MY_PUBLIC_IP[500]<=>DEST_PUBLIC_IP[500]
racoon: INFO: purging ISAKMP-SA spi=55560e165ede1ebc:6bffad1deb758561.
racoon: INFO: purged IPsec-SA spi=120539367.
racoon: INFO: purged ISAKMP-SA spi=55560e165ede1ebc:6bffad1deb758561.
racoon: [VPN MCH Sonae]: INFO: ISAKMP-SA deleted MY_PUBLIC_IP[500]-DEST_PUBLIC_IP[500]  spi:55560e165ede1ebc:6bffad1deb758561

I'm not familiar with outbound NAT rules, and the VPN's I've worked with are simple LAN-to-LAN affairs.
Can anyone help? Can I even do this in the same machine, or do I need another pfsense just for the outbound NAT?

Thanks!

dotdash

Sounds like you are trying to do what Cisco would call IPSec with policy nat. AFAIK, you still cannot do this on pfSense. One question, why are you using 10.0.0.0/8? If the subnets are not the same- 10.128.1.x and 10.x.y.z, then why not use a /24+ subnet mask on the tunnels, then you could terminate them both on the Draytek (don't know if that can NAT IPsec).

Genmaken

Hi,

The draytek is old and won't do that. Also, the customer on the draytek is using the whole class 8 10.0.0.0/8.

If pfsense doesn't support this configuration then I'm in trouble…

What if I create a subnet 172.18.0.x and install a 2nd NIC on pfsense with the 172.18.0.85 IP and then make a regular IPsec tunnel?
I could then just route traffic from my network (192.168.0.0/23) to this new subnet.

Would this work? Am I making any sense?

cmb

you have to NAT on something other than what's doing the IPsec, no way around it. Generally people put up a VM as a second install to handle the NAT.

Genmaken

@cmb:

you have to NAT on something other than what's doing the IPsec, no way around it. Generally people put up a VM as a second install to handle the NAT.

Hi,

Could you give me more detail on how to do this? Do I need two pfSense boxes for this?
Could this configuration coexist with the VPN I have for our remote office?

Could I use a Windows Server 2003 to do the NAT?

Thanks

Genmaken

Can anyone provide a quick description? Can I add an OPT interface to pfsense, or do I need two machines?
In a two machine scenario, is this the right configuration?

Pfsense I
WAN interface with public IP
LAN interface with 172.18.0.85

IPsec tunnel to the customer network (10.0.0.0/8).

Pfsense II
WAN interface 172.18.0.x
LAN interface 192.168.0.x (my local network)

Clients in my network will have a route that states that for destination 10.0.0.0/8 the gateway is 192.168.0.x.

How do I configure NAT on Pfsense II?

Thanks

Genmaken

@cmb:

you have to NAT on something other than what's doing the IPsec, no way around it. Generally people put up a VM as a second install to handle the NAT.

I have setup 2 pfsense boxes with the interfaces configured like in my previous post. Can you give me some guidance on how to set this up?

Thanks

Genmaken

Help? :(

azcire

I need help on this exact issue too. It seems like there are a ton of orphaned threads with similar questions. I'd even be willing to pay someone for help on this…

cburns

Im very interested in this too

kapara

This is the setup I have with a cisco ASA:

Phase 1

PSK
Neg Mode: Main
My ID My IP
Peer ID: Peer IP
Key:….etc
Policy Gen: Default
Proposal: Obey
Enc: AES 128
Hash: SHA1
DH: 2
Lifetime: 28800
NAT-T disable
DPD Disabled

Phase 2:

ESP
Enc: AES 128
Hash: SHA1
PFS: 2
Lifetime: 3600

Tunnel has been up and solid!