Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Site to Site VPN

    Scheduled Pinned Locked Moved IPsec
    13 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      msalonius
      last edited by

      Hello,

      I am having a problem setting up an IPSEC site to site VPN from PFSense to PFSense devices.  I have everything setup properly from what I know but it won't connect and I can't find any logging on it.

      My setup is

      OFFICE 10.199.45.0/24 –>PFSense (behind firewall (Rogers Modem) with ports forwarded)---->WAN----->PFsense --->10.0.0.0/24 network

      It just sits in a connecting state.

      1 Reply Last reply Reply Quote 0
      • L
        lst_hoe
        last edited by

        Try to see what is going on with Diagnostics -> Packet Capture on the outgoing/incoming interface of the pfSense boxes on both ends.

        1 Reply Last reply Reply Quote 0
        • M
          msalonius
          last edited by

          This is in my logs

          ![Screen Shot 2018-03-07 at 12.17.50 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-07 at 12.17.50 PM.png)
          ![Screen Shot 2018-03-07 at 12.17.50 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-07 at 12.17.50 PM.png_thumb)

          1 Reply Last reply Reply Quote 0
          • Y
            yarick123
            last edited by

            Looks like udp packets on port 4500 do not go between firewalls.

            1 Reply Last reply Reply Quote 0
            • M
              msalonius
              last edited by

              Ok so I allowed that now I am getting this and the configs are the same on both sides.

              My Network is as follows:

              SiteA
              WAN ->Public IP (NO NAT)
              LAN -> 10.199.45.0/24

              Site B
              WAN ->192.168.100.2 (Natted as External IP)
              LAN -> 10.0.0.0/24

              Can't figure for the life of me whats going on.

              ![Screen Shot 2018-03-07 at 6.10.38 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-07 at 6.10.38 PM.png)
              ![Screen Shot 2018-03-07 at 6.10.38 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-07 at 6.10.38 PM.png_thumb)

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                You are behind NAT. Your phase 1 isn't set up correctly. Is the IP address on the NAT side dynamic or static?

                If dynamic you will probably have to set up dynamic DNS and set the other side to connect to that hostname and expect the hostname as the identifier.

                The NAT side will have to explicitly set that host name as the identifier.

                (You could also set up an OpenVPN server on the non-NAT side and a client on the NAT side and you wouldn't have to worry about any of this.)

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M
                  msalonius
                  last edited by

                  I got it to work, I needed to put the External IP's of each of them as their identifier….I can't seem to ping through though from the 10.199.45.0/24 network to the 10.0.0.0/24 network...I added a static route on the one side to no avail...my firewall rules allow all protocols from one side to the other int the IPSEC section

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Static routes will do nothing for IPsec. It is all handled by the traffic selectors (defined in the Phase 2 entries).

                    Try pinging the pfSense interface address on the other side. If that works but you can't ping the hosts on the remote side, check the firewalls and routing on those hosts.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • M
                      msalonius
                      last edited by

                      Unable to ping the pfSense interface on the other side which is 10.0.0.1 or 10.199.45.1 fails

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Then your IPsec is not working. Check your rules.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • M
                          msalonius
                          last edited by

                          Everything looks fine and the tunnel is established…see screenshots

                          ![Screen Shot 2018-03-07 at 10.24.57 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-07 at 10.24.57 PM.png)
                          ![Screen Shot 2018-03-07 at 10.24.57 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-07 at 10.24.57 PM.png_thumb)
                          ![Screen Shot 2018-03-07 at 10.25.14 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-07 at 10.25.14 PM.png)
                          ![Screen Shot 2018-03-07 at 10.25.14 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-07 at 10.25.14 PM.png_thumb)

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Those are the configuration screens. What does Status > IPsec look like?

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • M
                              msalonius
                              last edited by

                              Its ok I figured it out…didn't have the correct rule on the IPSec Rules for the firewall...all good now thanks

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.