Can't seem to get pfSense to stay connected to IPCop firewall
-
PFSense VPN Settings
Interconnect IPCop to PFSense using IPSec
This post is just focused on building a vpn IPSec connection site-to-site between IpCop and PFSense.
Att: PfSense and IpCop boxes are using a public ip address on WAN side.
Thanks in advance!PFSense Configuration
VPN menu, option IPSec,
Enable IPSec check box
Save button.
Then click the Add tunnel icon on the right side of the page, now you’ve a new page where you can specify VPN tunnel options
Mandatory Parameters
Uncheck Disabled
Key Exchange Version: IKEv1
Internet Protocol: IpV4
Interface: WAN_Red
Remote Gateway: The public ip address of IpCop box
207.166.250.2
Description = High School
Phase 1 proposal (Authentication)
Authentication method: Mutual PSK
Authentication method: Main
My identifier: My Ip Address
Peer identifier: Peer ip address
Pre-Shared Key: same password
Phase 1 proposal (Algorithms)
Encryption algorithm: Blowfish (256 bits)
Hash algorithm: SHA1
DH key group: 5 (1536 bits)
Lifetime: 28800
Advanced Options
Disable rekey = unchecked
Margintime = blank
Responder Only = unchecked
NAT Traversal = Auto
Dead Peer Detection = Unchecked
Save button and then click on “Add phase 2”
Disabled = unchecked
Mode = Tunnerl IPv4
Local Network: LAN Subnet
Green Port 2
NAT/BINAT = None
Remote Network: LANSubnet on ipcop side
Address from pulldown
10.0.0.0/7
Phase 2 proposal (SA/Key Exchange)
Protocol: ESP
Encryption algorithms: check only on BlowFish (Auto)
Hash algorithms: check only on SHA1 and MD5
PFS key group: 5 (1536 bits)
Lifetime: 28800
Auto ping host = enter IP if you find VPN drops often
SAVE & ApPLY
– Hit Save button
------------------------------------------------
IpCop Configuration
Open Menu VPN modify the Public IP with the real WAN ip address
– Press Add button in the middle of the screen to create a new PSK VPN connection with IPSec,
Select Net-to-Net Virtual Private Network to continue.
Host IP Address:
Wan Ip Address 207.166.250.2
Remote Host/IP: The public ip address of PfSense box
169.244.143.34
Local Subnet: Local LAN subnet
10.0.0.0/255.0.0.0
Remote Subnet: LAN subnet on PfSense side.
172.16.152.0/255.255.254.0
Dead Peer Detection Action = Restart
Operation at IPSec startup = start
Remark = anything "Connection to BCOPE"
Check USe Pre-Shared Key
Enter the same password used in pfSense
– SAVE
Edit ADVANCED settings
Phase 1
IKE Encryption: Blowfish (both 256bit and 128bit)
IKE Integrity: check SHA and MD5
IKE Grouptype: set MODP-1536
IKE Lifetime: 1 hour (This option not available)
Phase 2
ESP Encryption: Blowfish (both 256bit and 128bit)
ESP Integrity: check SHA1 and MD5
ESP Grouptype: set to MODP-1536 (This option not available)
ESP Keylife: set to 8 hours
Check only Perfect Forward Secrecy (PFS) - uncheck?
SAVE button
-----------------------------------------
On PFSense side goto
Status > IPSec
Overview tab see vpn status.
If all works fine see ESTABLISHED
If not click on CONNECT VPN
Check Status>System Logs>IPSec
Must create Rule in Firewall to allow traffic thru VPN
Firewall>Rules>IPSec
Add
Action = Pass
Disabled = unchecked
Interface = IPsec
Address Fam = IPv4
Protocol = Any
Source = Any
Destination = Any
Log = unchecked
Description = High School
Nothing to change under Advance
SAVE & APPLY
Can you ping thru to 10.0.0.15
-
Lost my opening paragraph... sorry.
We are upgrading firewalls to pfSense. We are using the latest version 2.4.3 and can connect to the internet. We can get the VPN to connect for a little while but we can't ping through it even though we have a Firewall rule set for IPSec.
On the other end we have IPCop Firewall using their last update. -
We can get the VPN to connect for a little while but we can't ping through it even though we have a Firewall rule set for IPSec.
Firewall rules on the IPsec tab would be for allowing pings originating from the other side.
Be sure you are pinging from something interesting to IPsec, as in from a source address that is in the Local Network portion of a phase 2. You can set a source interface to something like LAN if you're using Diagnostics > Ping.