[Solved/Patch] pfSense (dest) -> FritzBox -> Internet <- FritzBox (src)



  • Hello out there,

    I have a little problem, which I think is solvable… But I don't get it. I try to get my site-to-site IPsec working in both directions. The tunnel itself is etablished and working...

    Like the topic says, this is the network
    pfSense -> FritzBox -> Internet <- FritzBox

    pfSense 2.3.1 (behind AVM FritzBox with DynDNS)

    | FritzBox | 192.168.10.0/24 |
    | pfSense | 10.5.1.0/24 |

    FritzBox 7390 (v6.51)

    | FritzBox | 192.168.100.0/24 |

    FritzBox config

    
    vpncfg {
            vpncfg_version = 1;
            connections {
                    enabled = yes;
                    editable = yes;
                    conn_type = conntype_out;
                    name = "FANCY NAME";
                    boxuser_id = 0;
                    always_renew = no;
                    reject_not_encrypted = no;
                    dont_filter_netbios = yes;
                    localip = 0.0.0.0;
                    local_virtualip = 0.0.0.0;
                    remoteip = 0.0.0.0;
                    remote_virtualip = 0.0.0.0;
                    remotehostname = "xxx"; // DynDNS hostname pfSense
                    keepalive_ip = 10.5.1.1; // Server behind pfSense
                    localid {
                            fqdn = "yyy"; // DynDNS hostname FritzBox 7390
                            // ipaddr = xxx.xxx.xxx.xxx; // tried public IP, but no change
                    }
                    remoteid {
                            fqdn = "xxx"; // DynDNS hostname pfSense
                            // ipaddr = xxx.xxx.xxx.xxx; // tried public IP, but no change
                    }
                    mode = phase1_mode_idp;
                    phase1ss = "all/all/all";
                    keytype = connkeytype_pre_shared;
                    key = "zzz"; // Super secret
                    cert_do_server_auth = no;
                    use_nat_t = yes;
                    use_xauth = no;
                    use_cfgmode = no;
                    phase2localid {
                            ipnet {
                                    ipaddr = 192.168.100.0; // FritzBox 7390
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2remoteid {
                            ipnet {
                                    ipaddr = 10.5.1.0; // pfSense
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2ss = "esp-all-all/ah-none/comp-all/no-pfs";
                    accesslist = "permit ip any 10.5.1.0 255.255.255.0";
                    app_id = 0;
            }
            ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
                                "udp 0.0.0.0:4500 0.0.0.0:4500";
    }
    
    // EOF
    
    

    pfSense Phase 1

    | Key exchange version | V1 |
    | Internet Protocol | IPv4 |
    | Interface | WAN |
    | Remote Gateway | yyy (DynDNS FritzBox 7390) |
    | Description | whatever |
    | Authentication Method | Mutual PSK |
    | Negotiation Mode | Main |
    | My identifier | Distinguished name -> xxx (DynDNS pfSense) |
    | Peer identifier | Distinguished name -> yyy(DynDNS FritzBox 7390) |
    | Pre-shared Key | zzz |
    | Encryption Algorithm | AES -> 256bits |
    | Hash Algorithm | SHA1 |
    | DH Group | 2 (1024) |
    | Lifetime (seconds) | 86400 |
    | Disable rekey | no |
    | Responder only | yes |
    | NAT Traversal | Force |
    | DPD | enable |
    | Delay | 60 |
    | Max failures | 5 |

    pfSense Phase 2

    | Mode | Tunnel IPv4 |
    | Local Network | LAN subnet |
    | NAT/BINAT Translation | none |
    | Remote Network | Network -> 192.168.100.0/24 |
    | Description | whatever |
    | Protocol | ESP |
    | Encryption Algorithm | AES -> 256bits |
    | Hash Algorithms | SHA1 |
    | PFS key group | off |
    | Lifetime | 3600 |
    | Automatically ping host | 192.168.100.254 |

    Firewall Rules allow IPsec from 192.168.100.0/24 to LAN subnet.

    If I use this I will always get

    
    15[IKE] <con2000|9407>peer requested virtual IP %any
    15[IKE] <con2000|9407>no virtual IP found for %any requested by 'yyy' <- DynDNS FritzBox 7390</con2000|9407></con2000|9407> 
    

    Now I have to add

    
    rightsourceip=192.168.100.10
    
    

    to ipsec.conf and reload ipsec

    Tunnel is up an I can ping from 192.168.100.0/24 to 10.5.1.0/24 (also DNS is resolvable)

    –-----------------------------------------------------------------------------------
    | But I can't get a ping from 10.5.0.0/24 to 192.168.100.0/24 |
    –-----------------------------------------------------------------------------------

    So how do I get a fully working tunnel?

    Some extras
    If pfSense is trying to establish the tunnel, nothing happens, because the FritzBox 7390 seems to not want to answer.
    RoadWarriors are working fine since years.
    All needed ports are forwared to the pfSense.

    P.S.: Lifetime and security is not that important atm. Will work on this, if tunnel is working in both directions…



  • little update… did some modifications

    /etc/inc/vpn.inc

    
    1042 				if (count($rightsourceips)) { 
    1043 					$rightsourceip = "\trightsourceip = " . implode(',', $rightsourceips) . "\n"; 
    1044 				} 
    1045 			}
    +
    + 			if (isset($ph1ent['avmvirtualip'])) {
    +				$rightsourceip = "\trightsourceip = {$ph1ent['avmvirtualip']}\n";
    +			}
    1046  
    1047 			if (!empty($ph1ent['caref'])) { 
    1048 				$ca = lookup_ca($ph1ent['caref']); 
    1049 				if ($ca) { 
    
    

    /conf/config.xml (somewhere in phase1)

    
    <avmvirtualip>123.123.123.123</avmvirtualip>
    
    

    (of course, "avmvirtualip" can be replaced with anything)

    I think, this should be an input field in phase 1 of IPsec. Something like "Force virtualip for remote"… If devs agree, I could write a little patch to include it. Perhaps an advanced text input for more individual configs?
    For me, this just needs to work the next 2 weeks. But it might be helpful to others?