4. Can't seem to get pfSense to stay connected to IPCop firewall

Can't seem to get pfSense to stay connected to IPCop firewall

  • O

    PFSense VPN Settings
    Interconnect IPCop to PFSense using IPSec
    This post is just focused on building a vpn IPSec connection site-to-site between IpCop and PFSense.
    Att: PfSense and IpCop boxes are using a public ip address on WAN side.
    Thanks in advance!

    PFSense Configuration

    VPN menu, option IPSec,

    Enable IPSec check box

    Save button.

    Then click the Add tunnel icon on the right side of the page, now you’ve a new page where you can specify VPN tunnel options

    Mandatory Parameters

    Uncheck Disabled

    Key Exchange Version: IKEv1

    Internet Protocol: IpV4

    Interface: WAN_Red

    Remote Gateway: The public ip address of IpCop box

    207.166.250.2

    Description = High School

    Phase 1 proposal (Authentication)

    Authentication method: Mutual PSK

    Authentication method: Main

    My identifier: My Ip Address

    Peer identifier: Peer ip address

    Pre-Shared Key: same password

    Phase 1 proposal (Algorithms)

    Encryption algorithm: Blowfish (256 bits)

    Hash algorithm: SHA1

    DH key group: 5 (1536 bits)

    Lifetime: 28800

    Advanced Options

    Disable rekey = unchecked

    Margintime = blank

    Responder Only = unchecked

    NAT Traversal = Auto

    Dead Peer Detection = Unchecked

    Save button and then click on “Add phase 2”

    Disabled = unchecked

    Mode = Tunnerl IPv4

    Local Network: LAN Subnet

    Green Port 2

    NAT/BINAT = None

    Remote Network: LANSubnet on ipcop side

    Address from pulldown

    10.0.0.0/7

    Phase 2 proposal (SA/Key Exchange)

    Protocol: ESP

    Encryption algorithms: check only on BlowFish (Auto)

    Hash algorithms: check only on SHA1 and MD5

    PFS key group: 5 (1536 bits)

    Lifetime: 28800

    Auto ping host = enter IP if you find VPN drops often

    SAVE & ApPLY

    – Hit Save button

    ------------------------------------------------

    IpCop Configuration

    Open Menu VPN modify the Public IP with the real WAN ip address

    – Press Add button in the middle of the screen to create a new PSK VPN connection with IPSec,

    Select Net-to-Net Virtual Private Network to continue.

    Host IP Address:

    Wan Ip Address 207.166.250.2

    Remote Host/IP: The public ip address of PfSense box

    169.244.143.34

    Local Subnet: Local LAN subnet

    10.0.0.0/255.0.0.0

    Remote Subnet: LAN subnet on PfSense side.

    172.16.152.0/255.255.254.0

    Dead Peer Detection Action = Restart

    Operation at IPSec startup = start

    Remark = anything "Connection to BCOPE"

    Check USe Pre-Shared Key

    Enter the same password used in pfSense

    – SAVE

    Edit ADVANCED settings

    Phase 1

    IKE Encryption: Blowfish (both 256bit and 128bit)

    IKE Integrity: check SHA and MD5

    IKE Grouptype: set MODP-1536

    IKE Lifetime: 1 hour (This option not available)

    Phase 2

    ESP Encryption: Blowfish (both 256bit and 128bit)

    ESP Integrity: check SHA1 and MD5

    ESP Grouptype: set to MODP-1536 (This option not available)

    ESP Keylife: set to 8 hours

    Check only Perfect Forward Secrecy (PFS) - uncheck?

    SAVE button

    -----------------------------------------

    On PFSense side goto

    Status > IPSec

    Overview tab see vpn status.

    If all works fine see ESTABLISHED

    If not click on CONNECT VPN

    Check Status>System Logs>IPSec

    Must create Rule in Firewall to allow traffic thru VPN

    Firewall>Rules>IPSec

    Add

    Action = Pass

    Disabled = unchecked

    Interface = IPsec

    Address Fam = IPv4

    Protocol = Any

    Source = Any

    Destination = Any

    Log = unchecked

    Description = High School

    Nothing to change under Advance

    SAVE & APPLY

    Can you ping thru to 10.0.0.15

    0
    O
     1 Reply
  • O

    Lost my opening paragraph... sorry.

    We are upgrading firewalls to pfSense. We are using the latest version 2.4.3 and can connect to the internet. We can get the VPN to connect for a little while but we can't ping through it even though we have a Firewall rule set for IPSec.
    On the other end we have IPCop Firewall using their last update.

    0
  • Netgate

    We can get the VPN to connect for a little while but we can't ping through it even though we have a Firewall rule set for IPSec.

    Firewall rules on the IPsec tab would be for allowing pings originating from the other side.

    Be sure you are pinging from something interesting to IPsec, as in from a source address that is in the Local Network portion of a phase 2. You can set a source interface to something like LAN if you're using Diagnostics > Ping.

    0
 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy