Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Tunnel using Proxy ARP Virtual IP

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GlobalSIT
      last edited by

      Hi everyone,
      I'm a new user.

      I have a problem with an IPSec tunnel between 2 PFsense. The scenario is as follows:

      Office A
      PFSense behind router with a single Public IP NATted 1:1 to PFSense WAN IP
      (eg. 95.95.95.1 -> 192.168.x.5)

      Office B
      PFsense behind router with 4 Public static IPs NATted 1:1 to 4 private IPs and a dynamic public IP (which here I define as "97.97.y.y) NATted 1:1 to the physical WAN IP address:
      (eg. 97.97.97.1 -> 10.10.x.1,
      97.97.97.2 -> 10.10.x.2,
      97.97.97.3 -> 10.10.x.3,
      97.97.97.4 -> 10.10.x.4
      97.97.y.y-> 10.10.x.5)

      PFS B has only 1 physical NIC used as WAN which was configured with 10.10.x.5.

      These 4 private IP addresses were configured on PFS B as Proxy ARP Virtual IP, so there are 4 public IP addresses pointing to a single PFS.

      I want to configure IPSec tunnel between 95.95.95.1 (A) and 97.97.97.4 (B), but once I finish configuring it, tunnel doesn't work, no connection established.
      If I open "IPSec Status" page, I see "10.10.x.5" in "Local IP" column, and this is the problem because it should be "10.10.x.4" instead.

      How can I configure PFSense so that the Local IP address is the Proxy ARP IP 10.10.x.4?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • G
        GlobalSIT
        last edited by

        Any idea?  :( :( :-[

        1 Reply Last reply Reply Quote 0
        • J
          jammcla
          last edited by

          No services on pfSense can use Proxy ARPs.  You will need to convert it to a IP Alias.

          Once it has been converted to an IP Alias, on the IPSEC configuration Phase 1 switch the interface from WAN to the new IP Alias.

          1 Reply Last reply Reply Quote 0
          • G
            GlobalSIT
            last edited by

            Is it the same for OpenVPN?

            Now I'm trying to configure an OpenVPN Site-to-Site tunnel with the same Proxy ARP Virtual IP, but it doesn't work.

            Some time ago I configured an OpenVPN SSL/TLS tunnel using the same VIP and it works (I had to create a NAT rule that would translate VIP:1194 to 127.0.0.1:1194).

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              You cannot bind any services running on the firewall to a proxy arp vip.

              https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

              You can probably tell OpenVPN to listen on localhost and port forward to it like you described. Not sure about IPsec.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.