ipsec - site to site - packets not going throgh tunnel on my site [solved]
-
Hello,
I know here are many entries with the same topic but sadly i cant get the tunnel to work properly. Normally we are using Openvpn site to site and for clients and its working without any Problems but our new supporter needs an ipsec tunnel.Here are the configurations that seems to work "a little bit":
The Tunnel starts and stays connected and i can see packets in the logfile when filtering for ipsec as interface. However, there is no RDP connection or ping possible and it seems that the packets get to the server but not back through the tunnel but through the internet.Cisco Configuration from other Endpoint:
Internet IP: 13.141.121.200
IKE Policy - Phase 1 5 (AES-256, MD5, Group 5, 86400)
IPSec Policy - Phase 2 AES-256-MD5access-list CM_1518 extended permit ip host 13.141.121.201 10.4.11.120 255.255.255.252
crypto map outside_map 1518 match address CM_1518
crypto map outside_map 1518 set peer 223.18.16.22
crypto map outside_map 1518 set ikev1 transform-set AES-256-MD5
crypto map outside_map 1518 set nat-t-disableNAT:
10.4.11.120 10.1.20.60 host1
10.4.11.121 10.1.20.145 host2
10.4.11.122 10.1.20.146 host3
10.4.11.123 10.1.20.149 host4My Configuration:
Phase 1
Remote Gateway 13.141.121.200Phase2
Local Network - Network 10.4.11.120 /30
Remote Network - 13.141.121.201NAT: (Example for one Host)
-> I want nat entries for all ports like on cisco but dont know how to setup. Pfsense always want to know ports. (Not a problem)
Interface: ipsec
prot: UDP/TCP
destination: 10.4.11.120
port range: MS RDP
redirect Target IP: 10.1.20.60
redirect target port MS RDPAdditionally there is an icmp nat for testing.
Rules:
Any to Any on ipsec Tab for testing and logging. Will be changed when it works
Any to 500 on WAN
Any to 4500 on WAN
(Any will be changed to ip when it works)Confusion:
- Is the entry "local subnet" correct. I thought i have to enter my lan subnet there. But then the tunnel will not start with an Hash ID error (wrong subnet). The configuration here is the only one working. i have tested all possble combinations.
- can i enter an simple NAT like everything that goes to ip 1 goes to ip 2
- What can i do to tell ofsense to route traffic through the tunnel. I have read many times "everything is done autpomatically in ipsec" but it doesnt work ;)
If you need more information just tell me. Sadly i cant produce log entries, because i have no hosts to ping. The purpose of the VPN Tunnel is to give access to the support
-
After reading a Book about VPN if understood subnetting with an Ipsec VPN and found the solution:
Phase 2 must be configured like this:
Phase2
Local Network - LAN Network
NAT / BINAT 10.4.11.120 /30
Remote Network - 13.141.121.201