ipsec - site to site - packets not going throgh tunnel on my site [solved]



  • Hello,
    I know here are many entries with the same topic but sadly i cant get the tunnel to work properly. Normally we are using Openvpn site to site and for clients and its working without any Problems but our new supporter needs an ipsec tunnel.

    Here are the configurations that seems to work "a little bit":
    The Tunnel starts and stays connected and i can see packets in the logfile when filtering for ipsec as interface. However, there is no RDP connection or ping possible and it seems that the packets get to the server but not back through the tunnel but through the internet.

    Cisco Configuration from other Endpoint:

    Internet IP: 13.141.121.200

    IKE Policy - Phase 1 5 (AES-256, MD5, Group 5, 86400)
    IPSec Policy - Phase 2 AES-256-MD5

    access-list CM_1518 extended permit ip host 13.141.121.201 10.4.11.120 255.255.255.252
    crypto map outside_map 1518 match address CM_1518
    crypto map outside_map 1518 set peer 223.18.16.22
    crypto map outside_map 1518 set ikev1 transform-set AES-256-MD5
    crypto map outside_map 1518 set nat-t-disable

    NAT:
    10.4.11.120 10.1.20.60 host1
    10.4.11.121 10.1.20.145 host2
    10.4.11.122 10.1.20.146 host3
    10.4.11.123 10.1.20.149 host4

    My Configuration:

    Phase 1
    Remote Gateway 13.141.121.200

    Phase2
    Local Network - Network 10.4.11.120 /30
    Remote Network - 13.141.121.201

    NAT: (Example for one Host)
    -> I want nat entries for all ports like on cisco but dont know how to setup. Pfsense always want to know ports. (Not a problem)
    Interface: ipsec
    prot: UDP/TCP
    destination: 10.4.11.120
    port range: MS RDP
    redirect Target IP: 10.1.20.60
    redirect target port MS RDP

    Additionally there is an icmp nat for testing.

    Rules:
    Any to Any on ipsec Tab for testing and logging. Will be changed when it works
    Any to 500 on WAN
    Any to 4500 on WAN
    (Any will be changed to ip when it works)

    Confusion:

    1. Is the entry "local subnet" correct. I thought i have to enter my lan subnet there. But then the tunnel will not start with an Hash ID error (wrong subnet). The configuration here is the only one working. i have tested all possble combinations.
    2. can i enter an simple NAT like everything that goes to ip 1 goes to ip 2
    3. What can i do to tell ofsense to route traffic through the tunnel. I have read many times "everything is done autpomatically in ipsec" but it doesnt work ;)

    If you need more information just tell me. Sadly i cant produce log entries, because i have no hosts to ping. The purpose of the VPN Tunnel is to give access to the support



  • After reading a Book about VPN if understood subnetting with an Ipsec VPN and found the solution:

    Phase 2 must be configured like this:

    Phase2
    Local Network - LAN Network
    NAT / BINAT 10.4.11.120 /30
    Remote Network - 13.141.121.201


Log in to reply