IPSEC routing issue and "connect vpn" button missing
-
Hello!
I'm trying to set up ipsec between two pfsense boxes.
Software is 2.0.1-RELEASE(i386) from Mon Dec 12 17:53:52 EST 2011I've set up a testing environment on ESXi.
LAN1 192.168.7.x โ- 192.168.7.254 pfs box1 192.168.251.20 --- 192.168.251.21 pfs box 2 10.0.0.1 ---- 10.x.x.x LAN2Basically it's working but I've two issues.
- the tunnel is only comming up if I don't set a default gateway on the WAN interfaces.
In the "Definitive Guide to the pfSense Open-Source Firewall"
chapter 13.4.4 pfSense-initiated Traffic and IPsec
it is described that you need to set a static routing entry for
the remote network to automatically get the tunnel up.
The static routes: Edit route webinterface does not allow me to
enter a route as described. The gateway field is not editable. I can only
select a gateway I've created on the Gateways tab. But on the gateway
tab I cannot create a gateway that is on the LAN and hast a remote IP address.
How do I create a routing entry for the remote LAN?
Do I need this on pfsense 2.0.1?- If have found a video on youtube showing the setup of ipsec
with version 2.0-RELEASE (i386) built on Tue Sep 13 17:00:00 EDT 2011
http://www.youtube.com/watch?v=aSXBOA7X1fY
at the time 10:42 the "Status: IPsec" page is visible.
You can see the "Overview" tab and on the far right side there is
a "connect vpn" button.
On my 2.0.1 Version I don't have this button. Is this a bug, or did I do
make a wrong setting, so this button is not shown?Please help!!!
Chris
- the tunnel is only comming up if I don't set a default gateway on the WAN interfaces.
-
An addition to my question concerning the routing. It seems i've misunderstood the
instruction in the guide. I don't need to point to the remote lan.I have now created a new gateway using the IP address from the local pfsense box (192.168.7.254)
Then I have created a LAN routing entry for 10.0.0.0 pointing to 192.168.7.254.But this did not change anything. The tunnel is not activated.ย :(
-
nobody out there that can help me?
not even an answer where the "connect button" has gone?
:'( -
The connect button only appears if pfsense has an actual interface IP (not a VIP) inside of the local Phase 2 network.
It can only send a ping over the tunnel if it has a usable local address from which it can source traffic into the tunnel.
Only a packet matching the Phase 2 settings will be sent on the tunnel, so with very strict P2 networks the firewall can't initiate the tunnel for you.
-
I've read your reply but I don't understand it.
What does "inside of the local phase 2 network" mean?
What is a "very strict P2 network"?Do I need a routing entry for the remote network?
If yes, how do I create it on 2.0.1Chris
-
If you have a phase 2 like:
x.x.x.5/32 -> y.y.y.0/24
And pfSense only has x.x.x.1 on it, it can't initiate a packet on that phase 2 since it does not have an IP that would go inside.
As I said though, there are some bugs in the detection process for that button, it doesn't take IP aliases or subnets other than lan into account. So unless the local Phase 2 includes the LAN subnet, there is no connect button.
You don't need any routing entries.
-
As I said though, there are some bugs in the detection process for that button, it doesn't take IP aliases or subnets other than lan into account. So unless the local Phase 2 includes the LAN subnet, there is no connect button.
Does this mean I can not use IPSec for my OPT network?
That would be disastrous! -
No, it just means that the connect button doesn't show up. When real traffic tries to use the tunnel, it will come up on its own.
-
As I said though, there are some bugs in the detection process for that button, it doesn't take IP aliases or subnets other than lan into account. So unless the local Phase 2 includes the LAN subnet, there is no connect button.
Does this mean I can not use IPSec for my OPT network?
That would be disastrous!Infact I am not able to make opt1 working with ipsec. Have you made it working?
