PFSense-to-PFsense IPSec tunnel on network other than LAN?



  • I'm having a problem with a PFSense-to-PFSense IPSec tunnel that is not making sense to me.  I though I should ask here and see if its something I'm doing incorrectly.

    I have a PFSense 2.3.2 configured as follows:

    AMD A8-6600K (4-core), 8GB ram, 300GB HD.

    NIC1:  em0,em1, dual-port Intel pro/1000 card
    NIC2:  em2,em3, dual-port Intel pro/1000 card
    RE0:    internal Ethernet (used temporary as a backup network/back door into the system when I screw something up )

    lagg0:  em2,em3 in LACP mode to Dell 5324 Switch

    WAN:  em0.  Connects directly to cable modem

    VLAN's – DHCP/DNS on all VLANS
    2 = ADMIN - (192.168.222.0/24)
    10 = LAN - (192.168.10.0/24)
    11 = WORK - (192.168.11.0/24)
    12 = REMOTE - (192.168.12.0/24)
    14 = ESXI - (192.168.14.0/24)
    15 = GUEST - (192.168.15.0/24)
    20 = MEDIA - (192.168.20.0/24)
    25 = VOIP - (192.168.25.0/24)
    30 = DMZ - (192.168.30.0/24)
    35 = MISC - (192.168.35.0/24
    100 = SANDBOX - (192.168.100.0/24)

    For the time being, the firewall rules for each vlan pass all to all (the DMZ vlan is not currently in use)

    Dell 5324 Switch:

    vlans created on the switch
    Ports 23,24 configured as trunk with LACP and allow all vlans
    Ports 1-8 = vlan 10
    Other ports are configured for other vlans…

    My desktop computer in on port-1, vlan 10.

    IPSec: tunnel to a remote location - on PFSense 2.3.2
    The IPSec configuration between both systems is identical and when configured to go from LAN segment to LAN segment, it works as I would expect.  The problems come in when I want to go from the REMOTE LAN to a LOCAL network other than the LAN.

    The IPSec configuration:

    ====Phase 1 General====
    Key exchange: auto
    Internet protocol: IPv4
    Interface: WAN
    Remote Gateway: his_public_ip
    ==== Phase 1 Proposal (Auth) ====
    Authentication Method: Mutual PSK
    Negotation mode: Main
    My Identifier: My IP
    Peer Identifier: Peer IP
    Pre-Shared KEY: xxxxxxxxxxxx (not actually xxxxxxxxxx)
    ==== Phase 1 Proposal (Algo) ====
    Encryption Algo: 3DES
    Hash: SHA1
    DH Group: 2
    Lifetime: 28800
    ==== Advanced Options ====
    NAT Traversal: Auto
    Dead Peer Detection: Checked, Delay 10, Max failures 4

    IPSec Phase 2
    ==== Phase 2 General Information ====
    Mode: Tunnel IPv4
    Local Network: REMOTE_IPSEC
    NAT/BINAT: None
    Remote Network: Network, 192.168.1.0/24
    ==== Phase 2 Proposal (SA/KEY Exchange) ====
    Protocol: ESP
    Encryption Algorithms: 3DES (only 3DES is checked)
    Hash Algorithms: SHA1 (only SHA1 is checked)
    PFS Key Group: 2
    Lifetime: 3600

    I've been testing two different IPSec settings:

    TEST-1:
    My Local PFSense: IPSec:edit phase 2: Local Network = LAN network. (my LAN network)
    Remote PFSense: IPSec:edit phase 2: Remote Network: Network, 192.168.10.0/24 (ip address of my local LAN/VLAN10)

    In this configuration, the traffic flows as I would expect.  From my desktop computer on vlan 10 (or any other vlan), I can ping/ssh to stuff on his LAN segment (192.168.1.0/24)

    TEST-2:
    Local PFSense: IPSec:edit phase 2: Local Network = REMOTE_IPSEC network (VLAN35)
    Remote PFSense: IPSec:edit phase 2: Remote Network: Network, 192.168.35.0/24 (the ip address of my REMOTE_IPSEC network/VLAN35)

    In this configuration, the IPSec tunnels comes up (p1 &p2) but I am unable to ping anything on the remote LAN (192.168.1.0/24)

    From my PFSense box, if I ping to 192.168.1.1 (his firewall) I get a reply from 66.75.262.48 with TTL exceeded..

    How the heck does that happen!

    Does anyone have any thoughts or wtf's they would like to share?


  • Netgate

    1 = ADMIN - (192.168.2.1/24)
    14 = ESXI - (192.168.2.14/24)
    25 = VOIP - (192.168.2.25/24)
    30 = DMZ - (192.168.2.30/24)

    What you say?



  • @Derelict:

    1 = ADMIN - (192.168.2.1/24)
    14 = ESXI - (192.168.2.14/24)
    25 = VOIP - (192.168.2.25/24)
    30 = DMZ - (192.168.2.30/24)

    What you say?

    LOL, no. thats a typo.. That would NOT work!  I've edited the orginal post to correct this.. the real address for those vlans is

    2 = ADMIN - (192.168.222.0/24)
    10 = LAN - (192.168.10.0/24)
    11 = WORK - (192.168.11.0/24)
    12 = REMOTE - (192.168.12.0/24)
    14 = ESXI - (192.168.14.0/24)
    25 = VOIP - (192.168.25.0/24)
    30 = DMZ - (192.168.30.0/24)

    In a nutshell.. If I have my remote pfsense box IPSEC configure to use my LAN subnet, 192.168.10.0/24, and my LOCAL pfsense set to have his traffic come in on my lan subnet, vlan 10, everything works just peachy..

    If I change the remote pfsense box to use a different subnet (say vlan 12 - 192.168.12.0/24 ), AND set my local pfsense box to have his traffic come in on vlan 12, it no workey..  Not one byte.

    Yes I have rules that for now allow ALL traffic to pass from the interfaces I've been testing with, namely VLAN 10, and vlan 12 on my end, and his ipsec & lan interface on the remote side

    I'd really like to figure this out!

    Thanks