IPSec Tunnel using Proxy ARP Virtual IP
-
Hi everyone,
I'm a new user.I have a problem with an IPSec tunnel between 2 PFsense. The scenario is as follows:
Office A
PFSense behind router with a single Public IP NATted 1:1 to PFSense WAN IP
(eg. 95.95.95.1 -> 192.168.x.5)Office B
PFsense behind router with 4 Public static IPs NATted 1:1 to 4 private IPs and a dynamic public IP (which here I define as "97.97.y.y) NATted 1:1 to the physical WAN IP address:
(eg. 97.97.97.1 -> 10.10.x.1,
97.97.97.2 -> 10.10.x.2,
97.97.97.3 -> 10.10.x.3,
97.97.97.4 -> 10.10.x.4
97.97.y.y-> 10.10.x.5)PFS B has only 1 physical NIC used as WAN which was configured with 10.10.x.5.
These 4 private IP addresses were configured on PFS B as Proxy ARP Virtual IP, so there are 4 public IP addresses pointing to a single PFS.
I want to configure IPSec tunnel between 95.95.95.1 (A) and 97.97.97.4 (B), but once I finish configuring it, tunnel doesn't work, no connection established.
If I open "IPSec Status" page, I see "10.10.x.5" in "Local IP" column, and this is the problem because it should be "10.10.x.4" instead.How can I configure PFSense so that the Local IP address is the Proxy ARP IP 10.10.x.4?
Thanks in advance.
-
Any idea? :( :( :-[
-
No services on pfSense can use Proxy ARPs. You will need to convert it to a IP Alias.
Once it has been converted to an IP Alias, on the IPSEC configuration Phase 1 switch the interface from WAN to the new IP Alias.
-
Is it the same for OpenVPN?
Now I'm trying to configure an OpenVPN Site-to-Site tunnel with the same Proxy ARP Virtual IP, but it doesn't work.
Some time ago I configured an OpenVPN SSL/TLS tunnel using the same VIP and it works (I had to create a NAT rule that would translate VIP:1194 to 127.0.0.1:1194).
-
You cannot bind any services running on the firewall to a proxy arp vip.
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
You can probably tell OpenVPN to listen on localhost and port forward to it like you described. Not sure about IPsec.
