Need help with IPSEC VPN Phase 2 not coming up
-
I have a site to site VPN i'm trying to connect
2.0.1-RELEASE (amd64)
built on Mon Dec 12 18:16:13 EST 2011
FreeBSD 8.1-RELEASE-p6All settings have been confirmed on the other side
Phase 1 –--------------------------------------------------------
If: WAN CARP IP (10.0.0.1) (pfsense is clustered with 2 nodes VRRP)
RemGW: 12.0.0.1
AHMethod: PSK
Negotiation: main
MyID: My IP
PeerID: Peer IP
PolicyGen: Default
PropCheck: Default
EncAlg: AES128
HashAlg: SHA1
DH: 2
Lifetime: 86400
NAT-T: Enabled
DPD: yes
Ack: 10s
Disc: 5xPhase 2 ----------------------------------------
Mode: Tunnel
LocalNetwork: Address: 10.0.0.5 (VIP type IP Alias)
RemoteNetwork: Address: 1.1.1.1
Proto: ESP
EncAlg: AES128
HashAlg: SHA1
PFSkey: off
Life: 28800
ping: 1.1.1.1I Have 1:1 nat from 10.0.0.5 (WAN Network) <-> 192.168.0.10 (LAN network)
Firewall rules have been setup to pass all traffic properly
I cannot ping 1.1.1.1 from 192.168.0.10 (i was able to ping at one point, but cannot any more)
No SAD's get createdWhat type of VIP should i use? Currently using IP Alias
-
The Problem:
The IPsec tunnel is already configured, and works great except that it (naturally) requires that ALL of our vendors (present and future) NOT be using the 10.0.0.8 address, neither the 10./8 subnet nor the 10.0/16 subnet. We don't want to require future vendors to renumerate their networks!The Question:
Is there a way that we can do site-to-site tunneling BUT make OUR end of the IPsec tunnel (the remote end to our vendors) be a public IP address on a /32 subnet rather than an address or subnet within our private network? Naturally our public IP addresses are already globally unique, and routing to one of our public addresses would eliminate present and future numeration conflicts. The probem I'm struggling with is routing traffic from the virtual IPsec interface to the internal database host on a 10.0/16 networkNaturally the normal NAT port forwarding rules do not apply to the virtual IPsec interface, so it occurred to me to use 1:1 NAT to create the route using a dedicated Virutal IP (a public IP address), but it appears that the configurator does not offer the IPsec interface when configuring 1:1 NAT.
It also occurred to me that I might need to FIRST bridge the IPsec interface to the WAN interface, (thereby enabling 1:1 NAT on the WAN interface) but that also appears to be impossible, or perhaps just a really bad idea for some reason that I'm not thinking of :-)
Is it even possible to do what I'm trying to do? Any help would be much appreciated!
-
On pfSense 2.1 the IPsec phase 2 config has a place to define a NAT network.
That won't help you if someone else directly overlaps because while they could contact you (since they only see your public IP) you couldn't contact them because your own PCs would believe them to be in your LAN.
To avoid the overlap you'd both have to be doing NAT so that a public IP or some other unused subnet(s) are being presented on the tunnel.
-
I have a server residing on the LAN subnet 192.168.0.0/24. I have
1:1 NAT from IF:WAN - ExtIP: 10.0.0.5 <-> InternalIP: 192.168.0.10 (ExtIP VIP type = IP Alias)
1:1 NAT from IF: Ipsec - ExtIP: 10.0.0.5 <-> InternalIP: 192.168.0.10 (ExtIP VIP type = IP Alias)Phase1
(local) 10.0.0.1 <-> (rem) 12.0.0.1Phase2
(local) 10.0.0.5 <-> (rem) 1.1.1.1IPSec Rules:
Proto: * - Source: 1.1.1.1/32 - SourcePort: * - Dest: 192.168.0.10 - DestPort: *
Proto: * - Source: 1.1.1.1/32 - SourcePort: * - Dest: 10.0.0.5 - DestPort: *WAN Rules
Proto: * - Source 12.0.0.1 - SourcePort: * - Dest: 10.0.0.1 - DestPort: *I guess, what i need is confirmation that my NAT rules will be used in the phase 2 of the IPSEC. The NAT through the IPSEC should look like:
192.168.0.10 <- nat -> 10.0.0.5 <–> 1.1.1.1 -
No. You do not use NAT (1:1 or port forwards) with IPsec in that way. The only way NAT+IPsec work together is using the NAT subnet entry on the pfSense 2.1 IPsec Phase 2 config.
-
Ok, then can PFSense handle having Phase 1 and Phase 2 in the same subnet?
On the local side the p1 IP = CARP VIP (WAN if) p2 IP = IP Alias VIP (WAN if)NAT 1:1 WAN if
WAN rules created
IPSEC rules createdStill does not come up.