Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forward IPSec to another firewall

    IPsec
    2
    5
    10.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mario01
      last edited by

      Hi,

      I try to forward IPSEC traffic over my pfsense witch is connected to WAN to an watchguard firewall. I want to connect from outside with IPSEC-Clients to the watchguard-device over the pfsense. I use the latest build of v2.

      When using the watchguard device directly on WAN (PPPEO) anything works fine.

      I made forwarding for TCP 4500, UDP 500 and ESP to the vpn-firewall, but i doesn´t connect.

      Did anyone have an idea.

      Regards, Mario

      1 Reply Last reply Reply Quote 0
      • M
        mario01
        last edited by

        Hello again,

        I asked also watchguard and they told me:

        "You will need to allow udp 4500, udp 500, ah, and esp. If things are not being forwarded properly, then you might want to look at the upstream firewall to verify that things are being forwarded properly."

        But how to forward ah = authentication header, is it necessary or does it automaticly?

        Mario

        1 Reply Last reply Reply Quote 0
        • S
          spiritbreaker
          last edited by

          Hi,

          is ur watchguard part of LAN or separated in a DMZ? How much interfaces are used on Watchguard? Is something behind watchguard Firewall?

          Does ur setup looks like this?:

          Internet –-- (WAN) pfsense (LAN) ------- Watchguard
                                                                |
                                                                 ---  Clients

          Normal way is to use a second public ip on PFsense WAN Side (Virtual IP) to forwarding traffic to Watchguard Firewall, i use it that way.

          Because of pppoe ur are limited..and u cant use ipsec on pfsense itself!

          Try this:

          1. U need to disable all IPSEC Services on PfSense.
          2. Goto Firewall -> NAT -> Portforward -> Create Rules

          First:

          Protokoll: UDP
          Interface: WAN
          Destination: WAN_Address
          Destination Port Range: 500 (isakmp)
          Redirect Target IP: <watchguard>Second:

          Protokoll: UDP
          Interface: WAN
          Destination: WAN_Address
          Destination Port Range: 4500 (NAT-T)
          Redirect Target IP: <watchguard>3. Make sure Watchguard default route is set to pfsense.
          4. Make sure Watchguard Ipsec Service listen on interface wich is connected to pfsense network (LAN).
          5. Check PfSense Firewall Log for blocking events on Lan side.

          cya</watchguard></watchguard>

          Pfsense running at 11 Locations
          -mobile OPENVPN and IPSEC
          -multiwan failover
          -filtering proxy(squidguard) in bridgemode with ntop monitoring

          1 Reply Last reply Reply Quote 0
          • M
            mario01
            last edited by

            Hi spiritbreaker,

            thanks for your answer. Yes the WG is behind the pfsense on LAN-Side.

            I used the following rules and it worked:

            WAN  UDP  *  *  WAN address  4500 (IPsec NAT-T)  192.168.200.10  *

            WAN  UDP  *  *  WAN address  500 (ISAKMP)  192.168.200.10  *

            WAN  ESP  *  *  WAN address  *  192.168.200.10  *

            1 Reply Last reply Reply Quote 0
            • S
              spiritbreaker
              last edited by

              Hi,

              ESP Traffic is encapsulated by UDP Port 4500. So ur third rule should be unnecessary.

              U can check it by activating logging on third rule. Then u can check firewall log to determine if its really used.

              cya

              Pfsense running at 11 Locations
              -mobile OPENVPN and IPSEC
              -multiwan failover
              -filtering proxy(squidguard) in bridgemode with ntop monitoring

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.