IPSec VPN to CISCO

dotdash

Sounds like you are trying to do what Cisco would call IPSec with policy nat. AFAIK, you still cannot do this on pfSense. One question, why are you using 10.0.0.0/8? If the subnets are not the same- 10.128.1.x and 10.x.y.z, then why not use a /24+ subnet mask on the tunnels, then you could terminate them both on the Draytek (don't know if that can NAT IPsec).

Genmaken

Hi,

The draytek is old and won't do that. Also, the customer on the draytek is using the whole class 8 10.0.0.0/8.

If pfsense doesn't support this configuration then I'm in trouble…

What if I create a subnet 172.18.0.x and install a 2nd NIC on pfsense with the 172.18.0.85 IP and then make a regular IPsec tunnel?
I could then just route traffic from my network (192.168.0.0/23) to this new subnet.

Would this work? Am I making any sense?

cmb

you have to NAT on something other than what's doing the IPsec, no way around it. Generally people put up a VM as a second install to handle the NAT.

Genmaken

@cmb:

you have to NAT on something other than what's doing the IPsec, no way around it. Generally people put up a VM as a second install to handle the NAT.

Hi,

Could you give me more detail on how to do this? Do I need two pfSense boxes for this?
Could this configuration coexist with the VPN I have for our remote office?

Could I use a Windows Server 2003 to do the NAT?

Thanks

Genmaken

Can anyone provide a quick description? Can I add an OPT interface to pfsense, or do I need two machines?
In a two machine scenario, is this the right configuration?

Pfsense I
WAN interface with public IP
LAN interface with 172.18.0.85

IPsec tunnel to the customer network (10.0.0.0/8).

Pfsense II
WAN interface 172.18.0.x
LAN interface 192.168.0.x (my local network)

Clients in my network will have a route that states that for destination 10.0.0.0/8 the gateway is 192.168.0.x.

How do I configure NAT on Pfsense II?

Thanks

Genmaken

@cmb:

you have to NAT on something other than what's doing the IPsec, no way around it. Generally people put up a VM as a second install to handle the NAT.

I have setup 2 pfsense boxes with the interfaces configured like in my previous post. Can you give me some guidance on how to set this up?

Thanks

Genmaken

Help? :(

azcire

I need help on this exact issue too. It seems like there are a ton of orphaned threads with similar questions. I'd even be willing to pay someone for help on this…

cburns

Im very interested in this too

kapara

This is the setup I have with a cisco ASA:

Phase 1

PSK
Neg Mode: Main
My ID My IP
Peer ID: Peer IP
Key:….etc
Policy Gen: Default
Proposal: Obey
Enc: AES 128
Hash: SHA1
DH: 2
Lifetime: 28800
NAT-T disable
DPD Disabled

Phase 2:

ESP
Enc: AES 128
Hash: SHA1
PFS: 2
Lifetime: 3600

Tunnel has been up and solid!