Ipsec Configuration not Working!

ibnkamala · Jun 13, 2022, 3:29 PM

@gabacho4 in my real configuration I will be using https://shop.netgate.com/products/6100-max-pfsense instead of SiteA but still will be behind NAT and won't be here in France it will be in Barcelona

Concerning the SiteB / there won't be any changes. which will happen in 3 days. on Th 16th of June. but for behind a proper firewall and router.

But I wanted to do the manipulation to see how it works, but sadly I am not there yet :)

gabacho4 · Jun 13, 2022, 4:03 PM

@ibnkamala I don't see that the port forwarding allows the esp protocol through. This is why most internet devices support IPsec passthrough. Can you put the Pfsense box on a DMZ and then try. Looking at your logs, it looks like SiteB tries to connect to SiteA but never gets a response. Would seem to indicate to me that things are not getting through.

ibnkamala · Jun 13, 2022, 4:05 PM

@gabacho4 will do that.

luckman212 · Jun 13, 2022, 5:03 PM

Now that both boxes are on 2.6, may I suggest switching to WireGuard since it is more NAT friendly, and requires just a single UDP port to be forwarded. You can try this without disturbing the IPsec config you have done so far (just disable the P1 to test)

https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html

ibnkamala · Jun 13, 2022, 5:36 PM

@luckman212 what do you mean exactly I have to disable phase1 in both sites, then how can we test ? I will forward simple to the Pfsense.

luckman212 · Jun 13, 2022, 6:41 PM

@ibnkamala I am saying: forwarding the ports and protocols needed to make IPSEC work in a double-NAT scenario (such as you have) is not an easy task. It seems you might be a little over your head with it.

So, I suggested changing strategy and trying Wireguard, which is a completely different protocol, to establish the site-to-site tunnel. I posted a link to the guide so you could try to set it up.

If you do give that a try, just stick to the default port (udp/51820) and forward that port from "Simple Internet Box" to your inside SiteA pfSense, and also forward from SiteB Sonicwall to pfSense. It's just another possible solution.

gary.lopez · Oct 3, 2022, 4:18 PM

@gabacho4 tenia este problema y exactamente esta era la solucion, mis 2 firewalls estan detras del NAT, me funciono perfectamente para la conexion IPSEC. Solo me sucedio de Pfsense a Pfsense.
aclaro, uso la version 2.6, tal vez el compañero deba actualizar la su version.

gabacho4 · Oct 3, 2022, 4:29 PM

@gary-lopez quieres decir que usando el KeyID era la clave para tu éxito? Lo siento pero después de cuatro meses y muchos mensajes entre mi y el amigo, no estoy seguro cual te ayudo. De todas maneras te felicito.

gary.lopez · Oct 3, 2022, 4:42 PM

@gabacho4 Asi es, ya estoy un poco familiarizado, no soy experto pero ese problema lo tenia desde hace meses pero no le dedique mucho tiempo ya que en produccion tengo de Pfsense a un Fortigate y me dejo levantar la VPN sin la necesidad de poner la KEY ID, use como identificador My IP Address que es la que te da por Default. Otra ventaja que tengo es que mi ISP o modem lo tengo en DMZ y el servico de Dynamic DNS en el pfsense.

gabacho4 · Oct 3, 2022, 4:56 PM

@gary-lopez es posible que haya otra solución pero no he experimentado hasta ahora. Una de mis instancias de pfsense esta detras de NAT y la otra no. Ya que pude hacer la conexión de esta manera no quise gastar mas tiempo y energía. Si te dan las ganas un día de estos, deberías investigar VTI IPSec ya que ese tipo te da una interfaz y gateway que puedes usar para PBR etc.

gary.lopez · Oct 3, 2022, 5:31 PM

@gabacho4 Tomare en cuenta tus comentarios, muchas gracias por comentar mi estimado, espero apoyar algun dia, y a seguir investigando. Saludos desde Mexico

gabacho4 · Oct 3, 2022, 5:45 PM

@gary-lopez viva la raza carnal!