Pfsense multiwan and ipsec tunnels



  • Hi forum

    I have a problem with pfsense version 1.2 on a PCengines ALIX-Board.
    I d'like to replace a m0n0wall based firewall with a pfsense powered one because of the multiwan support.

    Now I've set up 3 IPSec-Tunnels over the WAN interface and another 3 over the second WAN interface (opt1).

    WAN: PPPoE, xDSL, public fix IP, 3 IPSec Tunnels
    WAN2: Cable DSL, public fix IP, 3 IPSec Tunnels
    LAN: 172.16.0.1/24

    The problem is, that the 3 tunnels over the wan port work perfectly and the other 3 on the wan2 port don't.
    At all other tunnels end are m0n0wall based firewalls.
    It seems that the first phase (SAD) is coming up, but I can't access the other side of the tunnel.
    The tunnels seted up on the first wan interface work without any problems.

    Isn't it possible to run IPSec-Tunnels on a second WAN port?

    Thanks for any help

    Psunix



  • Did you create a static route for your IPSEC tunnel?
    @http://forum.pfsense.org/index.php/topic:

    General Stuff:
    If you want to make use of WANx for a service on pfSense:
    @Hoba:

    You need a static route to the <remote-tunnel-endpoint-ip>/32 via <gateway-of-wan2>. All services running at the pfSense directly (like ipsec, a proxy, dnsforwarder,…) only follow the routingtable definitions.</gateway-of-wan2></remote-tunnel-endpoint-ip>



  • Wow, thanks for your fast answer.
    No, I didn't setup a static route.
    I test this an I will report back here.



  • Hi

    It worked.

    Thank you very much for your help.

    psunix



  • Hi,

    I've got the same problem with 1 IPSec on WAN and 1 IPSec on WAN2. The first work perfectly but the second don't. I use PfSense 1.2-release.
    Did you put any specific firewall rules (on LAN or WAN2) for do this ?
    I put a static route : <wan2>- <remote 32="" gateway="">via <the gateway="" of="" my="" wan2="">but it doesn't work…  :-[
    I can't see anything in the IPSec log for the second tunnel on WAN2...

    Thanks
    Simon</the></remote></wan2>



  • I set the route up like this:
    IF=LAN, Network=remoteIPsecEndpoint/32, gateway=GatewayofWAN2



  • Yes i did that, but it's still doesn't work…
    I can't see anything of my IPSecOnWan2 on the IPSec logs...
    Do you think the problem is in the firewall rules ?

    Thank you for your response. :)

    Simon

    There is my conf :
    IPSec Tunnel
    Interface : OPT1
    Remote GW : 80.x.x.x

    Firewall rules on LAN
    Lan net -> default GW

    Static routes
    OPT1 - 80.x.x.x/32 - OPT1 GW



  • Try using LAN as the interface for the static route.



  • @dotdash:

    Try using LAN as the interface for the static route.

    i did. still doesn't work… :(

    There is my racoon.conf file :

    $ cat /var/etc/racoon.conf
    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    There shouldn't have something here?



  • That's the entire file??
    The lines themselves look fine, but you should have the tunnel config following that.
    Something like:
    remote 1.2.3.4 {
              exchange_mode aggressive;
              my_identifier address "5.6.7.8";

    peers_identifier address 1.2.3.4;
    etc, etc….



  • @dotdash:

    That's the entire file??
    The lines themselves look fine, but you should have the tunnel config following that.
    Something like:
    remote 1.2.3.4 {
               exchange_mode aggressive;
               my_identifier address "5.6.7.8";

    peers_identifier address 1.2.3.4;
    etc, etc….

    Yes that's the entire file…
    i don't know why but if i choose the WAN interface for a tunnel, then i've got a correct racoon.conf file (with "remote 1.2.3.4 {" things) and my tunnels work fine.
    If i choose the OPT interface for my tunnel, nothing change in the racoon.conf file... i just can see the remote address ("1.2.3.4") in the psk.txt file...

    Is there a log file that i could check ?

    Thanks for help :)



  • I'm out of ideas at this point. Why don't you post the <ipsec>section of your config?</ipsec>



  • @dotdash:

    I'm out of ideas at this point. Why don't you post the <ipsec>section of your config?</ipsec>

    Because i have lot of IPSec config, i'm sure about this part and i checked it 100 times…
    I'm trying to know why the conf file doesn't update.


Log in to reply