IPSec Site to Site VPN behind NAT

  • Hi,

    I recently upgraded from 2.1 to 2.4 (because of Hyper-V issues in the other releases), and found that two of the site to site VPNs didn't connect.

    I had to use "My IP Address" as identifiers on the pfSense boxes behind NAT, while on the main site (no NAT) i used "IP address" for the peer identifier, and manually typed the IP address of the WAN adapter of the boxes behind NAT. Then they connected again.

    I suppose i could have used "distinguished name", but one of the remote sites had a cisco router which wouldn't be able to use "distinguished name". And that site had dynamic ip, also.

    By the way, a description of what every option means would be nice. At first i thinked that "distinguished name" was a DNS name, but it just seems to send the string as ID to the peer.

    An option for a DNS name would be great, as then you can use that if using Dynamic DNS.

    Also, the option "Any" i supposed that would just accept any ID from the peer (and that would be great with NAT), but didn't seemed to work that way.

    One last thing: the IPSec VPN log seemed very confusing. Racoon used to indicate the tunnel name in every line, but now i only see a mix of lines from every tunnel, with no indication of it's name, and this makes it very hard to tell which tunnel corresponds to which line.


Log in to reply