IPSec Tunnel using Proxy ARP Virtual IP



  • Hi everyone,
    I'm a new user.

    I have a problem with an IPSec tunnel between 2 PFsense. The scenario is as follows:

    Office A
    PFSense behind router with a single Public IP NATted 1:1 to PFSense WAN IP
    (eg. 95.95.95.1 -> 192.168.x.5)

    Office B
    PFsense behind router with 4 Public static IPs NATted 1:1 to 4 private IPs and a dynamic public IP (which here I define as "97.97.y.y) NATted 1:1 to the physical WAN IP address:
    (eg. 97.97.97.1 -> 10.10.x.1,
    97.97.97.2 -> 10.10.x.2,
    97.97.97.3 -> 10.10.x.3,
    97.97.97.4 -> 10.10.x.4
    97.97.y.y-> 10.10.x.5)

    PFS B has only 1 physical NIC used as WAN which was configured with 10.10.x.5.

    These 4 private IP addresses were configured on PFS B as Proxy ARP Virtual IP, so there are 4 public IP addresses pointing to a single PFS.

    I want to configure IPSec tunnel between 95.95.95.1 (A) and 97.97.97.4 (B), but once I finish configuring it, tunnel doesn't work, no connection established.
    If I open "IPSec Status" page, I see "10.10.x.5" in "Local IP" column, and this is the problem because it should be "10.10.x.4" instead.

    How can I configure PFSense so that the Local IP address is the Proxy ARP IP 10.10.x.4?

    Thanks in advance.



  • Any idea?  :( :( :-[



  • No services on pfSense can use Proxy ARPs.  You will need to convert it to a IP Alias.

    Once it has been converted to an IP Alias, on the IPSEC configuration Phase 1 switch the interface from WAN to the new IP Alias.



  • Is it the same for OpenVPN?

    Now I'm trying to configure an OpenVPN Site-to-Site tunnel with the same Proxy ARP Virtual IP, but it doesn't work.

    Some time ago I configured an OpenVPN SSL/TLS tunnel using the same VIP and it works (I had to create a NAT rule that would translate VIP:1194 to 127.0.0.1:1194).


  • Netgate

    You cannot bind any services running on the firewall to a proxy arp vip.

    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

    You can probably tell OpenVPN to listen on localhost and port forward to it like you described. Not sure about IPsec.