Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec with public IP for Remote Gateway and Remote Subnet (address)

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 664 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • skipperTuxS
      skipperTux
      last edited by skipperTux

      I have a customer with a public IP for the Remote Gateway in Phase 1 (8.x.y.a) and a public IP address as Remote Subnet in Phase 2 (8.x.y.b). Customer setup uses a Cisco ASR.
      On my site I have a public IP for the Remote Gateway in Phase 1 (144.x.y.b), and a (Xubuntu) client in the private IP network of pfSense (172.24.x.x).
      My Xubuntu client has the pfSense LAN as default gateway, and it can access the internet (via NAT), ping, DNS and browsing is working.

      The IPsec tunnel connection is established successfully. However when I try to ping, traceroute or telnet the Remote Subnet address (8.x.y.b), the traffic is not going through the tunnel, but through the internet, and because of that it is blocked on remote site (no traffic coming through the tunnel).

      Do I need to configure the NAT/BINAT setting in Phase 2, or do I need to add a route in pfSense? I did not find the same setup somewhere in the forum, but with public IP, some here said to configure NAT/BINAT.

      alt text

      1 Reply Last reply Reply Quote 0
      • G
        guillaumeg
        last edited by

        I just ran into the same issue today for a similar configuration (routing traffic directed to a public address into an IPSec tunnel).
        It appeared that I forgot I had a firewall rule explictly setting the gateway for traffic directed to public addresses (for multi-wan management).
        Once I added an Accept firewall rule with higher precedence and no gateway setting, the traffic got "naturally" tunnelled.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.