IPsec with public IP for Remote Gateway and Remote Subnet (address)

  • I have a customer with a public IP for the Remote Gateway in Phase 1 (8.x.y.a) and a public IP address as Remote Subnet in Phase 2 (8.x.y.b). Customer setup uses a Cisco ASR.
    On my site I have a public IP for the Remote Gateway in Phase 1 (144.x.y.b), and a (Xubuntu) client in the private IP network of pfSense (172.24.x.x).
    My Xubuntu client has the pfSense LAN as default gateway, and it can access the internet (via NAT), ping, DNS and browsing is working.

    The IPsec tunnel connection is established successfully. However when I try to ping, traceroute or telnet the Remote Subnet address (8.x.y.b), the traffic is not going through the tunnel, but through the internet, and because of that it is blocked on remote site (no traffic coming through the tunnel).

    Do I need to configure the NAT/BINAT setting in Phase 2, or do I need to add a route in pfSense? I did not find the same setup somewhere in the forum, but with public IP, some here said to configure NAT/BINAT.

    alt text

  • I just ran into the same issue today for a similar configuration (routing traffic directed to a public address into an IPSec tunnel).
    It appeared that I forgot I had a firewall rule explictly setting the gateway for traffic directed to public addresses (for multi-wan management).
    Once I added an Accept firewall rule with higher precedence and no gateway setting, the traffic got "naturally" tunnelled.

Log in to reply