Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't seem to get pfSense to stay connected to IPCop firewall

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 668 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • oklordO
      oklord
      last edited by

      PFSense VPN Settings
      Interconnect IPCop to PFSense using IPSec
      This post is just focused on building a vpn IPSec connection site-to-site between IpCop and PFSense.
      Att: PfSense and IpCop boxes are using a public ip address on WAN side.
      Thanks in advance!

      PFSense Configuration

      VPN menu, option IPSec,

      Enable IPSec check box

      Save button.

      Then click the Add tunnel icon on the right side of the page, now you’ve a new page where you can specify VPN tunnel options

      Mandatory Parameters

      Uncheck Disabled

      Key Exchange Version: IKEv1

      Internet Protocol: IpV4

      Interface: WAN_Red

      Remote Gateway: The public ip address of IpCop box

      207.166.250.2

      Description = High School

      Phase 1 proposal (Authentication)

      Authentication method: Mutual PSK

      Authentication method: Main

      My identifier: My Ip Address

      Peer identifier: Peer ip address

      Pre-Shared Key: same password

      Phase 1 proposal (Algorithms)

      Encryption algorithm: Blowfish (256 bits)

      Hash algorithm: SHA1

      DH key group: 5 (1536 bits)

      Lifetime: 28800

      Advanced Options

      Disable rekey = unchecked

      Margintime = blank

      Responder Only = unchecked

      NAT Traversal = Auto

      Dead Peer Detection = Unchecked

      Save button and then click on “Add phase 2”

      Disabled = unchecked

      Mode = Tunnerl IPv4

      Local Network: LAN Subnet

      Green Port 2

      NAT/BINAT = None

      Remote Network: LANSubnet on ipcop side

      Address from pulldown

      10.0.0.0/7

      Phase 2 proposal (SA/Key Exchange)

      Protocol: ESP

      Encryption algorithms: check only on BlowFish (Auto)

      Hash algorithms: check only on SHA1 and MD5

      PFS key group: 5 (1536 bits)

      Lifetime: 28800

      Auto ping host = enter IP if you find VPN drops often

      SAVE & ApPLY

      – Hit Save button

      ------------------------------------------------

      IpCop Configuration

      Open Menu VPN modify the Public IP with the real WAN ip address

      – Press Add button in the middle of the screen to create a new PSK VPN connection with IPSec,

      Select Net-to-Net Virtual Private Network to continue.

      Host IP Address:

      Wan Ip Address 207.166.250.2

      Remote Host/IP: The public ip address of PfSense box

      169.244.143.34

      Local Subnet: Local LAN subnet

      10.0.0.0/255.0.0.0

      Remote Subnet: LAN subnet on PfSense side.

      172.16.152.0/255.255.254.0

      Dead Peer Detection Action = Restart

      Operation at IPSec startup = start

      Remark = anything "Connection to BCOPE"

      Check USe Pre-Shared Key

      Enter the same password used in pfSense

      – SAVE

      Edit ADVANCED settings

      Phase 1

      IKE Encryption: Blowfish (both 256bit and 128bit)

      IKE Integrity: check SHA and MD5

      IKE Grouptype: set MODP-1536

      IKE Lifetime: 1 hour (This option not available)

      Phase 2

      ESP Encryption: Blowfish (both 256bit and 128bit)

      ESP Integrity: check SHA1 and MD5

      ESP Grouptype: set to MODP-1536 (This option not available)

      ESP Keylife: set to 8 hours

      Check only Perfect Forward Secrecy (PFS) - uncheck?

      SAVE button

      -----------------------------------------

      On PFSense side goto

      Status > IPSec

      Overview tab see vpn status.

      If all works fine see ESTABLISHED

      If not click on CONNECT VPN

      Check Status>System Logs>IPSec

      Must create Rule in Firewall to allow traffic thru VPN

      Firewall>Rules>IPSec

      Add

      Action = Pass

      Disabled = unchecked

      Interface = IPsec

      Address Fam = IPv4

      Protocol = Any

      Source = Any

      Destination = Any

      Log = unchecked

      Description = High School

      Nothing to change under Advance

      SAVE & APPLY

      Can you ping thru to 10.0.0.15

      oklordO 1 Reply Last reply Reply Quote 0
      • oklordO
        oklord @oklord
        last edited by

        Lost my opening paragraph... sorry.

        We are upgrading firewalls to pfSense. We are using the latest version 2.4.3 and can connect to the internet. We can get the VPN to connect for a little while but we can't ping through it even though we have a Firewall rule set for IPSec.
        On the other end we have IPCop Firewall using their last update.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          We can get the VPN to connect for a little while but we can't ping through it even though we have a Firewall rule set for IPSec.

          Firewall rules on the IPsec tab would be for allowing pings originating from the other side.

          Be sure you are pinging from something interesting to IPsec, as in from a source address that is in the Local Network portion of a phase 2. You can set a source interface to something like LAN if you're using Diagnostics > Ping.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.