Problems with IPsec vpn between pfSense and Oracle Cloud Infrastructure
-
LogPart1
LogPart2
LogPart3
LogPart4
LogPart5
LogPart6
IPSEC
IPSEC RULES
NATOUTBOUND
RULES WAN
STATE FILTER
STATIC RULESMy set up.
I hope you can help me.
Thanks. -
Delete any static routes you added like that 10.72.0.0/16 to 192.168.1.1. That is not how IPsec works.
Honestly, it looks like your IPsec is doing what you asked it to do. Need to find out why the host in the cloud (10.72.112.30) isn't responding or why your traffic isn't coming back. That's more of an oracle question.
-
This post is deleted! -
I have a doubt.
In pfsense it is possible to do configuration where in phase 2 has the network 0.0.0.0/0 as local and remote?
Attached, screen with configuration between Palo Alto firewall and Oracle Cloud Infrastructure.
Palo Alto Phase 2 -
@derelict
Hello, can you still help me? -
Help how?
-
@derelict said in Problems with IPsec vpn between pfSense and Oracle Cloud Infrastructure:
Help how?
Yes.I have a doubt.
In pfsense it is possible to do configuration where in phase 2 has the network 0.0.0.0/0 as local and remote?
Attached, screen with configuration between Palo Alto firewall and Oracle Cloud Infrastructure.
Palo Alto Phase 2 -
Hello, I would like to ask your attention to verify Oracle documentation and to comment that Pfsense is compatible and support Oracle VPNAAS.
1 - Oracle documentation to a Generic CPE:
https://docs.cloud.oracle.com/iaas/Content/Network/Reference/genericCPE.htmRequirements for generic CPE devices are:
local=0.0.0.0/0
remote=0.0.0.0/0
service=anyPlease let us know your thoughts about that.
Regards,
Ernani -
Personal opinion:
I think that is completely uncalled for.
On pfSense that will catch all traffic and send it over the tunnel unless extreme measures are taken to bypass it. And there is no way to bypass traffic from the firewall itself.
I cannot see how Oracle expects that to work for people.
Again, you should be able to create Phase 2 entries with your cloud subnet as remote and your local subnet(s) as local.
-
I agree with you, since I have configured others tunnels with different suppliers to Oracle without use that requirement, but I saw some intermittencies.
Thank you,
Ernani