ipsec - site to site - packets not going throgh tunnel on my site [solved]

  • Hello,
    I know here are many entries with the same topic but sadly i cant get the tunnel to work properly. Normally we are using Openvpn site to site and for clients and its working without any Problems but our new supporter needs an ipsec tunnel.

    Here are the configurations that seems to work "a little bit":
    The Tunnel starts and stays connected and i can see packets in the logfile when filtering for ipsec as interface. However, there is no RDP connection or ping possible and it seems that the packets get to the server but not back through the tunnel but through the internet.

    Cisco Configuration from other Endpoint:

    Internet IP:

    IKE Policy - Phase 1 5 (AES-256, MD5, Group 5, 86400)
    IPSec Policy - Phase 2 AES-256-MD5

    access-list CM_1518 extended permit ip host
    crypto map outside_map 1518 match address CM_1518
    crypto map outside_map 1518 set peer
    crypto map outside_map 1518 set ikev1 transform-set AES-256-MD5
    crypto map outside_map 1518 set nat-t-disable

    NAT: host1 host2 host3 host4

    My Configuration:

    Phase 1
    Remote Gateway

    Local Network - Network /30
    Remote Network -

    NAT: (Example for one Host)
    -> I want nat entries for all ports like on cisco but dont know how to setup. Pfsense always want to know ports. (Not a problem)
    Interface: ipsec
    prot: UDP/TCP
    port range: MS RDP
    redirect Target IP:
    redirect target port MS RDP

    Additionally there is an icmp nat for testing.

    Any to Any on ipsec Tab for testing and logging. Will be changed when it works
    Any to 500 on WAN
    Any to 4500 on WAN
    (Any will be changed to ip when it works)


    1. Is the entry "local subnet" correct. I thought i have to enter my lan subnet there. But then the tunnel will not start with an Hash ID error (wrong subnet). The configuration here is the only one working. i have tested all possble combinations.
    2. can i enter an simple NAT like everything that goes to ip 1 goes to ip 2
    3. What can i do to tell ofsense to route traffic through the tunnel. I have read many times "everything is done autpomatically in ipsec" but it doesnt work ;)

    If you need more information just tell me. Sadly i cant produce log entries, because i have no hosts to ping. The purpose of the VPN Tunnel is to give access to the support

  • After reading a Book about VPN if understood subnetting with an Ipsec VPN and found the solution:

    Phase 2 must be configured like this:

    Local Network - LAN Network
    NAT / BINAT /30
    Remote Network -

Log in to reply