Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Site to Site with peer behind CGNAT

    Scheduled Pinned Locked Moved IPsec
    ipsecsite-to-sitecgnat
    3 Posts 2 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mohsh86
      last edited by mohsh86

      It is a bit of a weird setup but i am kinda stuck with it:

      Site 1:

      • pfSense being our internal router, this is the target IPSec host. However, it is setting behind Unifi USG 4 Pro (with Public static IP address).
        Unifi config:
        *port forwarded 500, 4500 towards WAN interface if pfSense.
        *Firewall WAN IN EH & ESP accepted

      Site 2:

      • Huawei AR502 4G Modem on a remote workshop, this device is CGNATed.

      I was wondering if a Site-Site IPSec would be possible ? would the pfSense being HQ would accept a remote gateway of 0.0.0.0 (Responder Only checked)?

      Or do i need to enable Mobile Remote Access VPN for this to work?

      P.S1: Huawei VPN Wizard shows the following usage scenario, i was wondering if it is expecting the Site-Site to have both ends with public IP addresses? and Branch Site is more like the Mobile Remote Access option in pfSense?
      89fe4409-14f3-4281-9ece-f1f2913d2b44-image.png

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @mohsh86
        last edited by Konstanti

        @mohsh86
        Hey
        Yes , it is possible to do
        There are two options

        1. to try to use Dyndns (I'm not sure if this will work correctly if the client's ip address changes)
        2. make manual changes to the PFSense configuration file so that you can establish a connection ( site-to-site) from any ip address ( non-fixed ip), as is done for the mobile clients (This option works fine , but every time you update PFSense, you need to make changes to the file again)
        1 Reply Last reply Reply Quote 0
        • M
          mohsh86
          last edited by mohsh86

          For anyone who is interested (n00b here), i got it to work (branch to pfsense only):

          Phase 1 remote subnet on pfsense has to be 0.0.0.0 with responder only option checked.

          on Huawei Side, the following command had to be configured:

          ipsec authentication sha2 compatible enable
          

          the result is:

          22accdc1-de10-456f-beb1-06c813df2382-image.png

          The problem now is that pfsense does not direct traffic with destination to remote subnet (i.e. 10.2.20.0) through IPSec, it uses WAN0 for that. any ideas?

          [update] working now, was pinging from the wrong device.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.