Going crazy - any expert help appreciated
-
Hi all,
first time try to use pfSense as Ipsec tunnel without success and after and several attempts I'm here to beg for an expert help.
I need to allow my lan PCs to connect to Side A server using assigned static IPs range form Side A
Here the scenario:
Ipsec Ikev1 - Pre-Shared Key
Side A public IP Address: aaa:aaa:aaa:aaa (our customer, cannot do anything this side)
Side A private Subnets: 192.168.0.0/16 - 10.0.0.0/8 - 172.16.0.0/12Side B pulic IP Address: bbb:bbb:bbb:bbb (my side)
Side B current private subnet: 192.168.1.0/24Assignet subnet from our customer allowed to authenticate and use Side A VPN: 10.11.222.74/20.
Side A DNS: 192.168.0.11 - 192.168.0.12
Side A WINS: 192.168.0.11 - 192.168.0.12
Pre-Shared Key: yesHere what i have done
CONFIGURATION 1:
Fiber Router:
IP: 10.11.222.75
Nat: Enabled
DMZ Server: pfSense Ip
DHCP: disabled
Port Formawrding: 4500, 500, 1700 to pfSense serverpsSense:
WAN IP: 10:11.222.76
LAN IP: 192.168.1.1
Nat: Enabled
DHCP: EnabledClient Windows:
IP: DHCP 192.168.1.0/24 - GW: 192.168.1.1 - DNS 192.168.1.1IpSec Phase 1
Internet Protocol: IPv4
Interface: WAN
Remote Gateway: aaa:aaa:aaa:aaa
My Identifier: my IP
Peer Identifier: peer ip
Authentication method = Mutual PSK
Pre-Shared Key: blablabla
NAT Traversal: NO
Other necessary settings3 x IpSec Phase 2
Mode: Tunnel IPv4
Local Network: LAN subnet
Remote Network: 10.0.0.0/8 (1st Phase 2 entry) - 192.168.0.0/16 (2nd Phase 2 entry) - 172.16.0.0/12 (3th Phase 2 entry
Description: A description for this Phase 2 entry. Shows up in the IPsec status for reference.
Other necessary settingsResults for CONFIGURATION 1:
Connection: Estabilshed
Ping Side A DNS or other server: YES
Problems: this configuration allow only pfSense machine to access to VPN cause is the only one who have right ip (10.11.222.66) allowed to access SIDE A. Windows client get ip from pfSense DHCP (192.168.1.0/24 - GW: 192.168.1.1 - DNS 192.168.1.1) and not one from the authorized pool (10.11.222.64/20)CONFIGURATION 2:
Fiber Router:
IP: 192.168.1.1
Nat: Enabled
DMZ Server: pfSense Ip
DHCP: disabled
Port Formawrding: 4500, 500, 1700 to pfSense serverpsSense:
WAN IP: 192.168.1.254
LAN IP: 10:11.222.76
Nat: Enabled
DHCP: EnabledClient Windows:
IP: DHCP 10.11.222.64/20 - GW: 10.11.222.66 - DNS 10.11.222.66IpSec Phase 1
Internet Protocol: IPv4
Interface: LAN
Remote Gateway: aaa:aaa:aaa:aaa
My Identifier: my IP
Peer Identifier: peer ip
Authentication method = Mutual PSK
Pre-Shared Key: blablabla
NAT Traversal: NO
Other necessary settings3 x IpSec Phase 2
Mode: Tunnel IPv4
Local Network: WAN subnet (because they only authenticate IPs from 10.11.22.74/20)
Remote Network: 10.0.0.0/8 (1st Phase 2 entry) - 192.168.0.0/16 (2nd Phase 2 entry) - 172.16.0.0/12 (3th Phase 2 entry
Other necessary settingsResults for CONFIGURATION 2:
Connection: NO
Ping Side A DNS or other server: No
Problems: Connection wont came up. Don't know if this is the right solution for allow my PCs to connect to Side A VPN losing my current ip poll and using the one the Side A has assigned me (10.11.222.64/20)What i have to do:
In short words, estabilish a tunnel between me and side A and give to my clients one ip from available poll tha Side A has assigned me. I also need to use their DNS once connected for resolve their internal server name.I'm very confused and help from a more experienced hand would be very welcome.
Thanks all.