IPSec Tunnel using Proxy ARP Virtual IP
I'm a new user.
I have a problem with an IPSec tunnel between 2 PFsense. The scenario is as follows:
PFSense behind router with a single Public IP NATted 1:1 to PFSense WAN IP
(eg. 220.127.116.11 -> 192.168.x.5)
PFsense behind router with 4 Public static IPs NATted 1:1 to 4 private IPs and a dynamic public IP (which here I define as "97.97.y.y) NATted 1:1 to the physical WAN IP address:
(eg. 18.104.22.168 -> 10.10.x.1,
22.214.171.124 -> 10.10.x.2,
126.96.36.199 -> 10.10.x.3,
188.8.131.52 -> 10.10.x.4
PFS B has only 1 physical NIC used as WAN which was configured with 10.10.x.5.
These 4 private IP addresses were configured on PFS B as Proxy ARP Virtual IP, so there are 4 public IP addresses pointing to a single PFS.
I want to configure IPSec tunnel between 184.108.40.206 (A) and 220.127.116.11 (B), but once I finish configuring it, tunnel doesn't work, no connection established.
If I open "IPSec Status" page, I see "10.10.x.5" in "Local IP" column, and this is the problem because it should be "10.10.x.4" instead.
How can I configure PFSense so that the Local IP address is the Proxy ARP IP 10.10.x.4?
Thanks in advance.
Any idea? :( :( :-[
jammcla last edited by
No services on pfSense can use Proxy ARPs. You will need to convert it to a IP Alias.
Once it has been converted to an IP Alias, on the IPSEC configuration Phase 1 switch the interface from WAN to the new IP Alias.
Is it the same for OpenVPN?
Now I'm trying to configure an OpenVPN Site-to-Site tunnel with the same Proxy ARP Virtual IP, but it doesn't work.
Some time ago I configured an OpenVPN SSL/TLS tunnel using the same VIP and it works (I had to create a NAT rule that would translate VIP:1194 to 127.0.0.1:1194).
You cannot bind any services running on the firewall to a proxy arp vip.
You can probably tell OpenVPN to listen on localhost and port forward to it like you described. Not sure about IPsec.