4. PFSense-to-PFsense IPSec tunnel on network other than LAN?

PFSense-to-PFsense IPSec tunnel on network other than LAN?

  • J

    I'm having a problem with a PFSense-to-PFSense IPSec tunnel that is not making sense to me.  I though I should ask here and see if its something I'm doing incorrectly.

    I have a PFSense 2.3.2 configured as follows:

    AMD A8-6600K (4-core), 8GB ram, 300GB HD.

    NIC1:  em0,em1, dual-port Intel pro/1000 card
    NIC2:  em2,em3, dual-port Intel pro/1000 card
    RE0:    internal Ethernet (used temporary as a backup network/back door into the system when I screw something up )

    lagg0:  em2,em3 in LACP mode to Dell 5324 Switch

    WAN:  em0.  Connects directly to cable modem

    VLAN's – DHCP/DNS on all VLANS
    2 = ADMIN - (192.168.222.0/24)
    10 = LAN - (192.168.10.0/24)
    11 = WORK - (192.168.11.0/24)
    12 = REMOTE - (192.168.12.0/24)
    14 = ESXI - (192.168.14.0/24)
    15 = GUEST - (192.168.15.0/24)
    20 = MEDIA - (192.168.20.0/24)
    25 = VOIP - (192.168.25.0/24)
    30 = DMZ - (192.168.30.0/24)
    35 = MISC - (192.168.35.0/24
    100 = SANDBOX - (192.168.100.0/24)

    For the time being, the firewall rules for each vlan pass all to all (the DMZ vlan is not currently in use)

    Dell 5324 Switch:

    vlans created on the switch
    Ports 23,24 configured as trunk with LACP and allow all vlans
    Ports 1-8 = vlan 10
    Other ports are configured for other vlans…

    My desktop computer in on port-1, vlan 10.

    IPSec: tunnel to a remote location - on PFSense 2.3.2
    The IPSec configuration between both systems is identical and when configured to go from LAN segment to LAN segment, it works as I would expect.  The problems come in when I want to go from the REMOTE LAN to a LOCAL network other than the LAN.

    The IPSec configuration:

    ====Phase 1 General====
    Key exchange: auto
    Internet protocol: IPv4
    Interface: WAN
    Remote Gateway: his_public_ip
    ==== Phase 1 Proposal (Auth) ====
    Authentication Method: Mutual PSK
    Negotation mode: Main
    My Identifier: My IP
    Peer Identifier: Peer IP
    Pre-Shared KEY: xxxxxxxxxxxx (not actually xxxxxxxxxx)
    ==== Phase 1 Proposal (Algo) ====
    Encryption Algo: 3DES
    Hash: SHA1
    DH Group: 2
    Lifetime: 28800
    ==== Advanced Options ====
    NAT Traversal: Auto
    Dead Peer Detection: Checked, Delay 10, Max failures 4

    IPSec Phase 2
    ==== Phase 2 General Information ====
    Mode: Tunnel IPv4
    Local Network: REMOTE_IPSEC
    NAT/BINAT: None
    Remote Network: Network, 192.168.1.0/24
    ==== Phase 2 Proposal (SA/KEY Exchange) ====
    Protocol: ESP
    Encryption Algorithms: 3DES (only 3DES is checked)
    Hash Algorithms: SHA1 (only SHA1 is checked)
    PFS Key Group: 2
    Lifetime: 3600

    I've been testing two different IPSec settings:

    TEST-1:
    My Local PFSense: IPSec:edit phase 2: Local Network = LAN network. (my LAN network)
    Remote PFSense: IPSec:edit phase 2: Remote Network: Network, 192.168.10.0/24 (ip address of my local LAN/VLAN10)

    In this configuration, the traffic flows as I would expect.  From my desktop computer on vlan 10 (or any other vlan), I can ping/ssh to stuff on his LAN segment (192.168.1.0/24)

    TEST-2:
    Local PFSense: IPSec:edit phase 2: Local Network = REMOTE_IPSEC network (VLAN35)
    Remote PFSense: IPSec:edit phase 2: Remote Network: Network, 192.168.35.0/24 (the ip address of my REMOTE_IPSEC network/VLAN35)

    In this configuration, the IPSec tunnels comes up (p1 &p2) but I am unable to ping anything on the remote LAN (192.168.1.0/24)

    From my PFSense box, if I ping to 192.168.1.1 (his firewall) I get a reply from 66.75.262.48 with TTL exceeded..

    How the heck does that happen!

    Does anyone have any thoughts or wtf's they would like to share?

    0
  • Netgate

    1 = ADMIN - (192.168.2.1/24)
    14 = ESXI - (192.168.2.14/24)
    25 = VOIP - (192.168.2.25/24)
    30 = DMZ - (192.168.2.30/24)

    What you say?

    0
  • J

    @Derelict:

    1 = ADMIN - (192.168.2.1/24)
    14 = ESXI - (192.168.2.14/24)
    25 = VOIP - (192.168.2.25/24)
    30 = DMZ - (192.168.2.30/24)

    What you say?

    LOL, no. thats a typo.. That would NOT work!  I've edited the orginal post to correct this.. the real address for those vlans is

    2 = ADMIN - (192.168.222.0/24)
    10 = LAN - (192.168.10.0/24)
    11 = WORK - (192.168.11.0/24)
    12 = REMOTE - (192.168.12.0/24)
    14 = ESXI - (192.168.14.0/24)
    25 = VOIP - (192.168.25.0/24)
    30 = DMZ - (192.168.30.0/24)

    In a nutshell.. If I have my remote pfsense box IPSEC configure to use my LAN subnet, 192.168.10.0/24, and my LOCAL pfsense set to have his traffic come in on my lan subnet, vlan 10, everything works just peachy..

    If I change the remote pfsense box to use a different subnet (say vlan 12 - 192.168.12.0/24 ), AND set my local pfsense box to have his traffic come in on vlan 12, it no workey..  Not one byte.

    Yes I have rules that for now allow ALL traffic to pass from the interfaces I've been testing with, namely VLAN 10, and vlan 12 on my end, and his ipsec & lan interface on the remote side

    I'd really like to figure this out!

    Thanks

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy