Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense-to-PFsense IPSec tunnel on network other than LAN?

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jrsphoto
      last edited by

      I'm having a problem with a PFSense-to-PFSense IPSec tunnel that is not making sense to me.  I though I should ask here and see if its something I'm doing incorrectly.

      I have a PFSense 2.3.2 configured as follows:

      AMD A8-6600K (4-core), 8GB ram, 300GB HD.

      NIC1:  em0,em1, dual-port Intel pro/1000 card
      NIC2:  em2,em3, dual-port Intel pro/1000 card
      RE0:    internal Ethernet (used temporary as a backup network/back door into the system when I screw something up )

      lagg0:  em2,em3 in LACP mode to Dell 5324 Switch

      WAN:  em0.  Connects directly to cable modem

      VLAN's – DHCP/DNS on all VLANS
      2 = ADMIN - (192.168.222.0/24)
      10 = LAN - (192.168.10.0/24)
      11 = WORK - (192.168.11.0/24)
      12 = REMOTE - (192.168.12.0/24)
      14 = ESXI - (192.168.14.0/24)
      15 = GUEST - (192.168.15.0/24)
      20 = MEDIA - (192.168.20.0/24)
      25 = VOIP - (192.168.25.0/24)
      30 = DMZ - (192.168.30.0/24)
      35 = MISC - (192.168.35.0/24
      100 = SANDBOX - (192.168.100.0/24)

      For the time being, the firewall rules for each vlan pass all to all (the DMZ vlan is not currently in use)

      Dell 5324 Switch:

      vlans created on the switch
      Ports 23,24 configured as trunk with LACP and allow all vlans
      Ports 1-8 = vlan 10
      Other ports are configured for other vlans…

      My desktop computer in on port-1, vlan 10.

      IPSec: tunnel to a remote location - on PFSense 2.3.2
      The IPSec configuration between both systems is identical and when configured to go from LAN segment to LAN segment, it works as I would expect.  The problems come in when I want to go from the REMOTE LAN to a LOCAL network other than the LAN.

      The IPSec configuration:

      ====Phase 1 General====
      Key exchange: auto
      Internet protocol: IPv4
      Interface: WAN
      Remote Gateway: his_public_ip
      ==== Phase 1 Proposal (Auth) ====
      Authentication Method: Mutual PSK
      Negotation mode: Main
      My Identifier: My IP
      Peer Identifier: Peer IP
      Pre-Shared KEY: xxxxxxxxxxxx (not actually xxxxxxxxxx)
      ==== Phase 1 Proposal (Algo) ====
      Encryption Algo: 3DES
      Hash: SHA1
      DH Group: 2
      Lifetime: 28800
      ==== Advanced Options ====
      NAT Traversal: Auto
      Dead Peer Detection: Checked, Delay 10, Max failures 4

      IPSec Phase 2
      ==== Phase 2 General Information ====
      Mode: Tunnel IPv4
      Local Network: REMOTE_IPSEC
      NAT/BINAT: None
      Remote Network: Network, 192.168.1.0/24
      ==== Phase 2 Proposal (SA/KEY Exchange) ====
      Protocol: ESP
      Encryption Algorithms: 3DES (only 3DES is checked)
      Hash Algorithms: SHA1 (only SHA1 is checked)
      PFS Key Group: 2
      Lifetime: 3600

      I've been testing two different IPSec settings:

      TEST-1:
      My Local PFSense: IPSec:edit phase 2: Local Network = LAN network. (my LAN network)
      Remote PFSense: IPSec:edit phase 2: Remote Network: Network, 192.168.10.0/24 (ip address of my local LAN/VLAN10)

      In this configuration, the traffic flows as I would expect.  From my desktop computer on vlan 10 (or any other vlan), I can ping/ssh to stuff on his LAN segment (192.168.1.0/24)

      TEST-2:
      Local PFSense: IPSec:edit phase 2: Local Network = REMOTE_IPSEC network (VLAN35)
      Remote PFSense: IPSec:edit phase 2: Remote Network: Network, 192.168.35.0/24 (the ip address of my REMOTE_IPSEC network/VLAN35)

      In this configuration, the IPSec tunnels comes up (p1 &p2) but I am unable to ping anything on the remote LAN (192.168.1.0/24)

      From my PFSense box, if I ping to 192.168.1.1 (his firewall) I get a reply from 66.75.262.48 with TTL exceeded..

      How the heck does that happen!

      Does anyone have any thoughts or wtf's they would like to share?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        1 = ADMIN - (192.168.2.1/24)
        14 = ESXI - (192.168.2.14/24)
        25 = VOIP - (192.168.2.25/24)
        30 = DMZ - (192.168.2.30/24)

        What you say?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          jrsphoto
          last edited by

          @Derelict:

          1 = ADMIN - (192.168.2.1/24)
          14 = ESXI - (192.168.2.14/24)
          25 = VOIP - (192.168.2.25/24)
          30 = DMZ - (192.168.2.30/24)

          What you say?

          LOL, no. thats a typo.. That would NOT work!  I've edited the orginal post to correct this.. the real address for those vlans is

          2 = ADMIN - (192.168.222.0/24)
          10 = LAN - (192.168.10.0/24)
          11 = WORK - (192.168.11.0/24)
          12 = REMOTE - (192.168.12.0/24)
          14 = ESXI - (192.168.14.0/24)
          25 = VOIP - (192.168.25.0/24)
          30 = DMZ - (192.168.30.0/24)

          In a nutshell.. If I have my remote pfsense box IPSEC configure to use my LAN subnet, 192.168.10.0/24, and my LOCAL pfsense set to have his traffic come in on my lan subnet, vlan 10, everything works just peachy..

          If I change the remote pfsense box to use a different subnet (say vlan 12 - 192.168.12.0/24 ), AND set my local pfsense box to have his traffic come in on vlan 12, it no workey..  Not one byte.

          Yes I have rules that for now allow ALL traffic to pass from the interfaces I've been testing with, namely VLAN 10, and vlan 12 on my end, and his ipsec & lan interface on the remote side

          I'd really like to figure this out!

          Thanks

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.