Going crazy - any expert help appreciated



  • Hi all,

    first time try to use pfSense as Ipsec tunnel without success and after and several attempts I'm here to beg for an expert help.

    I need to allow my lan PCs to connect to Side A server using assigned static IPs range form Side A

    Here the scenario:

    Ipsec Ikev1 - Pre-Shared Key

    Side A public IP Address: aaa:aaa:aaa:aaa (our customer, cannot do anything this side)
    Side A private Subnets: 192.168.0.0/16 - 10.0.0.0/8 - 172.16.0.0/12

    Side B pulic IP Address: bbb:bbb:bbb:bbb (my side)
    Side B current private subnet: 192.168.1.0/24

    Assignet subnet from our customer allowed to authenticate and use Side A VPN: 10.11.222.74/20.
    Side A DNS: 192.168.0.11 - 192.168.0.12
    Side A WINS: 192.168.0.11 - 192.168.0.12
    Pre-Shared Key: yes

    Here what i have done

    CONFIGURATION 1:

    Fiber Router:
    IP: 10.11.222.75
    Nat: Enabled
    DMZ Server: pfSense Ip
    DHCP: disabled
    Port Formawrding: 4500, 500, 1700 to pfSense server

    psSense:
    WAN IP: 10:11.222.76
    LAN IP: 192.168.1.1
    Nat: Enabled
    DHCP: Enabled

    Client Windows:
    IP: DHCP 192.168.1.0/24 - GW: 192.168.1.1 - DNS 192.168.1.1

    IpSec Phase 1
    Internet Protocol: IPv4
    Interface: WAN
    Remote Gateway: aaa:aaa:aaa:aaa
    My Identifier: my IP
    Peer Identifier: peer ip
    Authentication method = Mutual PSK
    Pre-Shared Key: blablabla
    NAT Traversal: NO
    Other necessary settings

    3 x IpSec Phase 2
    Mode: Tunnel IPv4
    Local Network: LAN subnet
    Remote Network: 10.0.0.0/8 (1st Phase 2 entry) - 192.168.0.0/16 (2nd Phase 2 entry) - 172.16.0.0/12 (3th Phase 2 entry
    Description: A description for this Phase 2 entry. Shows up in the IPsec status for reference.
    Other necessary settings

    Results for CONFIGURATION 1:
    Connection: Estabilshed
    Ping Side A DNS or other server: YES
    Problems: this configuration allow only pfSense machine to access to VPN cause is the only one who have right ip (10.11.222.66) allowed to access SIDE A. Windows client get ip from pfSense DHCP (192.168.1.0/24 - GW: 192.168.1.1 - DNS 192.168.1.1) and not one from the authorized pool (10.11.222.64/20)

    CONFIGURATION 2:

    Fiber Router:
    IP: 192.168.1.1
    Nat: Enabled
    DMZ Server: pfSense Ip
    DHCP: disabled
    Port Formawrding: 4500, 500, 1700 to pfSense server

    psSense:
    WAN IP: 192.168.1.254
    LAN IP: 10:11.222.76
    Nat: Enabled
    DHCP: Enabled

    Client Windows:
    IP: DHCP 10.11.222.64/20 - GW: 10.11.222.66 - DNS 10.11.222.66

    IpSec Phase 1
    Internet Protocol: IPv4
    Interface: LAN
    Remote Gateway: aaa:aaa:aaa:aaa
    My Identifier: my IP
    Peer Identifier: peer ip
    Authentication method = Mutual PSK
    Pre-Shared Key: blablabla
    NAT Traversal: NO
    Other necessary settings

    3 x IpSec Phase 2
    Mode: Tunnel IPv4
    Local Network: WAN subnet (because they only authenticate IPs from 10.11.22.74/20)
    Remote Network: 10.0.0.0/8 (1st Phase 2 entry) - 192.168.0.0/16 (2nd Phase 2 entry) - 172.16.0.0/12 (3th Phase 2 entry
    Other necessary settings

    Results for CONFIGURATION 2:
    Connection: NO
    Ping Side A DNS or other server: No
    Problems: Connection wont came up. Don't know if this is the right solution for allow my PCs to connect to Side A VPN losing my current ip poll and using the one the Side A has assigned me (10.11.222.64/20)

    What i have to do:
    In short words, estabilish a tunnel between me and side A and give to my clients one ip from available poll tha Side A has assigned me. I also need to use their DNS once connected for resolve their internal server name.

    I'm very confused and help from a more experienced hand would be very welcome.

    Thanks all.