Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec/Gre without NAT ok, IPsec/Gre with NAT get established, but no data

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stegbth
      last edited by

      Hi,

      i have a setup with three locaion, each location has two WAN.
      One of each WAN has an routed official IP to to PFsense, this is the default gateway.
      The second WAN o each location is NATed and has on one location a dynamic IP, there are specific routes an policybasedroutes (in firewall floating rules)
      The IPs on the WAN2 on PFsense are.
      L1 WAN2 192.168.1.4  |LAN 10.0.1.0/24
      L2 WAN2 192.168.2.4  |LAN 10.0.2.0/24
      L3 WAN2 192.168.3.4  |LAN 10.0.3.0/24
      What i am looking for is to have two IPsec tunnels to each location and a failover in case of a lineerror.

      So i created an IPsec transport connection between the three location on the WAN with fix ip, created an GRE interface there and setup quagga OSPF.
      This is up and running.

      Things i have done on L1

      • created a NAT for udp 500 and udp 4500 on the NAT router to 192.168.x.4
      • then i created a IPsec tunnl from the inner IP to the remote inner IP, authenticated by certificates.
        For example the tunnel from L1 to L2 is in Phase2 from 192.168.1.4 to 192.168.2.4.
      • added route 192.168.2.4 to NAT-Router L1
      • added route xxx.xxx.xxx.4 (official ip on WAN NAT-Router L2) to NAT-Router L1
      • added a floting rule src 192.168.1.4, direction out, with gateway NAT-Router L1
      • created a GRE Interface with 10.100.1.4 (local) 10.100.2.4 (remote) destination 192.168.2.4
      • created an firewall rule on IPsec src 192.168.?.4 icmp and udp 500, 4500 allowed
      • created a firewall floating rule from 10.0.0.0/16 to 10.0.0.0/16

      Now the IPsec tunnel get established some times,  i can see udp 500 and 4500 traffic on both sides, but a ping to 192.168.2.4 (from PFsense L1) does not get answered. also on PFsense L2 i see only the Non-ESP UDP 4500 traffic, but now ICMP traffic and no answers.

      I am currently running 2.2.6.
      Also i had a similar testsetup before with PFsense 2.2.3 (or 2.2.4?) and different NAT-Routers. there the setup worked.
      Unfortunatly i can't reestablish the testsetup any more as the hardware is already in use :(

      What can i do to fix find the error?

      best regards
      Thomas

      1 Reply Last reply Reply Quote 0
      • S
        stegbth
        last edited by

        Hi,

        when i start a ping, i can see the traffic on both sides with tcpdump.
        But in Status/IPsec the counter for established SA stay at 0

        best regards
        Thomas

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.