Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help with IPSEC VPN Phase 2 not coming up

    IPsec
    2
    6
    3.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      astrivoip123
      last edited by

      I have a site to site VPN i'm trying to connect

      2.0.1-RELEASE (amd64)
      built on Mon Dec 12 18:16:13 EST 2011
      FreeBSD 8.1-RELEASE-p6

      All settings have been confirmed on the other side
      Phase 1 –--------------------------------------------------------
      If: WAN CARP IP (10.0.0.1) (pfsense is clustered with 2 nodes VRRP)
      RemGW:  12.0.0.1
      AHMethod: PSK
      Negotiation: main
      MyID: My IP
      PeerID:  Peer IP
      PolicyGen: Default
      PropCheck:  Default
      EncAlg: AES128
      HashAlg: SHA1
      DH: 2
      Lifetime: 86400
      NAT-T: Enabled
      DPD: yes
      Ack: 10s
      Disc:  5x

      Phase 2 ----------------------------------------
      Mode: Tunnel
      LocalNetwork: Address:  10.0.0.5 (VIP type IP Alias)
      RemoteNetwork:  Address:  1.1.1.1
      Proto: ESP
      EncAlg:  AES128
      HashAlg:  SHA1
      PFSkey:  off
      Life:  28800
      ping:  1.1.1.1

      I Have 1:1 nat from 10.0.0.5 (WAN Network) <-> 192.168.0.10 (LAN network)

      Firewall rules have been setup to pass all traffic properly

      I cannot ping  1.1.1.1 from 192.168.0.10  (i was able to ping at one point, but cannot any more)
      No SAD's get created

      What type of VIP should i use?  Currently using IP Alias

      1 Reply Last reply Reply Quote 0
      • A
        astrivoip123
        last edited by

        The Problem:
        The IPsec tunnel is already configured, and works great except that it (naturally) requires that ALL of our vendors (present and future) NOT be using the 10.0.0.8 address, neither the 10./8 subnet nor the 10.0/16 subnet. We don't want to require future vendors to renumerate their networks!

        The Question:
        Is there a way that we can do site-to-site tunneling BUT make OUR end of the IPsec tunnel (the remote end to our vendors) be a public IP address on a /32 subnet rather than an address or subnet within our private network? Naturally our public IP addresses are already globally unique, and routing to one of our public addresses would eliminate present and future numeration conflicts. The probem I'm struggling with is routing traffic from the virtual IPsec interface to the internal database host on a 10.0/16 network

        Naturally the normal NAT port forwarding rules do not apply to the virtual IPsec interface, so it occurred to me to use 1:1 NAT to create the route using a dedicated Virutal IP (a public IP address), but it appears that the configurator does not offer the IPsec interface when configuring 1:1 NAT.

        It also occurred to me that I might need to FIRST bridge the IPsec interface to the WAN interface, (thereby enabling 1:1 NAT on the WAN interface) but that also appears to be impossible, or perhaps just a really bad idea for some reason that I'm not thinking of :-)

        Is it even possible to do what I'm trying to do? Any help would be much appreciated!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          On pfSense 2.1 the IPsec phase 2 config has a place to define a NAT network.

          That won't help you if someone else directly overlaps because while they could contact you (since they only see your public IP) you couldn't contact them because your own PCs would believe them to be in your LAN.

          To avoid the overlap you'd both have to be doing NAT so that a public IP or some other unused subnet(s) are being presented on the tunnel.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • A
            astrivoip123
            last edited by

            I have a server residing on the LAN subnet 192.168.0.0/24.  I have
            1:1 NAT from IF:WAN -  ExtIP: 10.0.0.5 <-> InternalIP: 192.168.0.10    (ExtIP VIP type = IP Alias)
            1:1 NAT from IF: Ipsec - ExtIP:  10.0.0.5 <-> InternalIP: 192.168.0.10  (ExtIP VIP type = IP Alias)

            Phase1
            (local) 10.0.0.1 <-> (rem) 12.0.0.1

            Phase2
            (local) 10.0.0.5 <-> (rem) 1.1.1.1

            IPSec Rules:
            Proto: * - Source: 1.1.1.1/32 - SourcePort: *  -  Dest: 192.168.0.10  -  DestPort: *
            Proto: * - Source: 1.1.1.1/32 - SourcePort: *  -  Dest: 10.0.0.5  -  DestPort: *

            WAN Rules
            Proto: *  -  Source 12.0.0.1 - SourcePort: *  -  Dest: 10.0.0.1 - DestPort: *

            I guess, what i need is confirmation that my NAT rules will be used in the phase 2 of the IPSEC.  The NAT through the IPSEC should look like:
            192.168.0.10 <- nat -> 10.0.0.5 <–> 1.1.1.1

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              No. You do not use NAT (1:1 or port forwards) with IPsec in that way. The only way NAT+IPsec work together is using the NAT subnet entry on the pfSense 2.1 IPsec Phase 2 config.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • A
                astrivoip123
                last edited by

                Ok, then can PFSense handle having Phase 1 and Phase 2 in the same subnet? 
                On the local side the p1 IP = CARP VIP (WAN if)  p2 IP = IP Alias VIP (WAN if)

                NAT 1:1 WAN if
                WAN rules created
                IPSEC rules created

                Still does not come up.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.