IPSEC Site to Site VPN



  • Hello,

    I am having a problem setting up an IPSEC site to site VPN from PFSense to PFSense devices.  I have everything setup properly from what I know but it won't connect and I can't find any logging on it.

    My setup is

    OFFICE 10.199.45.0/24 –>PFSense (behind firewall (Rogers Modem) with ports forwarded)---->WAN----->PFsense --->10.0.0.0/24 network

    It just sits in a connecting state.



  • Try to see what is going on with Diagnostics -> Packet Capture on the outgoing/incoming interface of the pfSense boxes on both ends.



  • This is in my logs

    ![Screen Shot 2018-03-07 at 12.17.50 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-07 at 12.17.50 PM.png)
    ![Screen Shot 2018-03-07 at 12.17.50 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-07 at 12.17.50 PM.png_thumb)



  • Looks like udp packets on port 4500 do not go between firewalls.



  • Ok so I allowed that now I am getting this and the configs are the same on both sides.

    My Network is as follows:

    SiteA
    WAN ->Public IP (NO NAT)
    LAN -> 10.199.45.0/24

    Site B
    WAN ->192.168.100.2 (Natted as External IP)
    LAN -> 10.0.0.0/24

    Can't figure for the life of me whats going on.

    ![Screen Shot 2018-03-07 at 6.10.38 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-07 at 6.10.38 PM.png)
    ![Screen Shot 2018-03-07 at 6.10.38 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-07 at 6.10.38 PM.png_thumb)


  • Netgate

    You are behind NAT. Your phase 1 isn't set up correctly. Is the IP address on the NAT side dynamic or static?

    If dynamic you will probably have to set up dynamic DNS and set the other side to connect to that hostname and expect the hostname as the identifier.

    The NAT side will have to explicitly set that host name as the identifier.

    (You could also set up an OpenVPN server on the non-NAT side and a client on the NAT side and you wouldn't have to worry about any of this.)



  • I got it to work, I needed to put the External IP's of each of them as their identifier….I can't seem to ping through though from the 10.199.45.0/24 network to the 10.0.0.0/24 network...I added a static route on the one side to no avail...my firewall rules allow all protocols from one side to the other int the IPSEC section


  • Netgate

    Static routes will do nothing for IPsec. It is all handled by the traffic selectors (defined in the Phase 2 entries).

    Try pinging the pfSense interface address on the other side. If that works but you can't ping the hosts on the remote side, check the firewalls and routing on those hosts.



  • Unable to ping the pfSense interface on the other side which is 10.0.0.1 or 10.199.45.1 fails


  • Netgate

    Then your IPsec is not working. Check your rules.



  • Everything looks fine and the tunnel is established…see screenshots

    ![Screen Shot 2018-03-07 at 10.24.57 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-07 at 10.24.57 PM.png)
    ![Screen Shot 2018-03-07 at 10.24.57 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-07 at 10.24.57 PM.png_thumb)
    ![Screen Shot 2018-03-07 at 10.25.14 PM.png](/public/imported_attachments/1/Screen Shot 2018-03-07 at 10.25.14 PM.png)
    ![Screen Shot 2018-03-07 at 10.25.14 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-03-07 at 10.25.14 PM.png_thumb)


  • Netgate

    Those are the configuration screens. What does Status > IPsec look like?



  • Its ok I figured it out…didn't have the correct rule on the IPSec Rules for the firewall...all good now thanks