PFSense-to-PFsense IPSec tunnel on network other than LAN?
-
I'm having a problem with a PFSense-to-PFSense IPSec tunnel that is not making sense to me. I though I should ask here and see if its something I'm doing incorrectly.
I have a PFSense 2.3.2 configured as follows:
AMD A8-6600K (4-core), 8GB ram, 300GB HD.
NIC1: em0,em1, dual-port Intel pro/1000 card
NIC2: em2,em3, dual-port Intel pro/1000 card
RE0: internal Ethernet (used temporary as a backup network/back door into the system when I screw something up )lagg0: em2,em3 in LACP mode to Dell 5324 Switch
WAN: em0. Connects directly to cable modem
VLAN's – DHCP/DNS on all VLANS
2 = ADMIN - (192.168.222.0/24)
10 = LAN - (192.168.10.0/24)
11 = WORK - (192.168.11.0/24)
12 = REMOTE - (192.168.12.0/24)
14 = ESXI - (192.168.14.0/24)
15 = GUEST - (192.168.15.0/24)
20 = MEDIA - (192.168.20.0/24)
25 = VOIP - (192.168.25.0/24)
30 = DMZ - (192.168.30.0/24)
35 = MISC - (192.168.35.0/24
100 = SANDBOX - (192.168.100.0/24)For the time being, the firewall rules for each vlan pass all to all (the DMZ vlan is not currently in use)
Dell 5324 Switch:
vlans created on the switch
Ports 23,24 configured as trunk with LACP and allow all vlans
Ports 1-8 = vlan 10
Other ports are configured for other vlans…My desktop computer in on port-1, vlan 10.
IPSec: tunnel to a remote location - on PFSense 2.3.2
The IPSec configuration between both systems is identical and when configured to go from LAN segment to LAN segment, it works as I would expect. The problems come in when I want to go from the REMOTE LAN to a LOCAL network other than the LAN.The IPSec configuration:
====Phase 1 General====
Key exchange: auto
Internet protocol: IPv4
Interface: WAN
Remote Gateway: his_public_ip
==== Phase 1 Proposal (Auth) ====
Authentication Method: Mutual PSK
Negotation mode: Main
My Identifier: My IP
Peer Identifier: Peer IP
Pre-Shared KEY: xxxxxxxxxxxx (not actually xxxxxxxxxx)
==== Phase 1 Proposal (Algo) ====
Encryption Algo: 3DES
Hash: SHA1
DH Group: 2
Lifetime: 28800
==== Advanced Options ====
NAT Traversal: Auto
Dead Peer Detection: Checked, Delay 10, Max failures 4IPSec Phase 2
==== Phase 2 General Information ====
Mode: Tunnel IPv4
Local Network: REMOTE_IPSEC
NAT/BINAT: None
Remote Network: Network, 192.168.1.0/24
==== Phase 2 Proposal (SA/KEY Exchange) ====
Protocol: ESP
Encryption Algorithms: 3DES (only 3DES is checked)
Hash Algorithms: SHA1 (only SHA1 is checked)
PFS Key Group: 2
Lifetime: 3600I've been testing two different IPSec settings:
TEST-1:
My Local PFSense: IPSec:edit phase 2: Local Network = LAN network. (my LAN network)
Remote PFSense: IPSec:edit phase 2: Remote Network: Network, 192.168.10.0/24 (ip address of my local LAN/VLAN10)In this configuration, the traffic flows as I would expect. From my desktop computer on vlan 10 (or any other vlan), I can ping/ssh to stuff on his LAN segment (192.168.1.0/24)
TEST-2:
Local PFSense: IPSec:edit phase 2: Local Network = REMOTE_IPSEC network (VLAN35)
Remote PFSense: IPSec:edit phase 2: Remote Network: Network, 192.168.35.0/24 (the ip address of my REMOTE_IPSEC network/VLAN35)In this configuration, the IPSec tunnels comes up (p1 &p2) but I am unable to ping anything on the remote LAN (192.168.1.0/24)
From my PFSense box, if I ping to 192.168.1.1 (his firewall) I get a reply from 66.75.262.48 with TTL exceeded..
How the heck does that happen!
Does anyone have any thoughts or wtf's they would like to share?
-
1 = ADMIN - (192.168.2.1/24)
14 = ESXI - (192.168.2.14/24)
25 = VOIP - (192.168.2.25/24)
30 = DMZ - (192.168.2.30/24)What you say?
-
1 = ADMIN - (192.168.2.1/24)
14 = ESXI - (192.168.2.14/24)
25 = VOIP - (192.168.2.25/24)
30 = DMZ - (192.168.2.30/24)What you say?
LOL, no. thats a typo.. That would NOT work! I've edited the orginal post to correct this.. the real address for those vlans is
2 = ADMIN - (192.168.222.0/24)
10 = LAN - (192.168.10.0/24)
11 = WORK - (192.168.11.0/24)
12 = REMOTE - (192.168.12.0/24)
14 = ESXI - (192.168.14.0/24)
25 = VOIP - (192.168.25.0/24)
30 = DMZ - (192.168.30.0/24)In a nutshell.. If I have my remote pfsense box IPSEC configure to use my LAN subnet, 192.168.10.0/24, and my LOCAL pfsense set to have his traffic come in on my lan subnet, vlan 10, everything works just peachy..
If I change the remote pfsense box to use a different subnet (say vlan 12 - 192.168.12.0/24 ), AND set my local pfsense box to have his traffic come in on vlan 12, it no workey.. Not one byte.
Yes I have rules that for now allow ALL traffic to pass from the interfaces I've been testing with, namely VLAN 10, and vlan 12 on my end, and his ipsec & lan interface on the remote side
I'd really like to figure this out!
Thanks