IPSec at OPT1\. Is it really possible???



  • As I heard RC2 can establish IPSec tunnel at OPT1 (2nd WAN). I tested it several times but I failed. Is there any special method to establish IPSec at OPT1? If there is, please advise me.

    Below is the method I tested.

    1. I plugged out the internet from WAN and plugged in it to OPT1.
    2. Changed IPSec interface to OPT1 from WAN (VPN -> IPSec)
    3. Changed gateway of LAN's firewall rules to OPT1's gateway (Firewall -> Rules -> LAN)
    I tried to establish IPSec at this stage but failed.
    4. So I made Outboud NAT for OPT1 interface.
    But It does not work.

    Thank you.



  • Leave the lan rules at default gateway or at leat create rules for the remote subnets to pass out the default gateway. policybasedrouting and/or loadbalancing are routing packets around the ipsec tunnel directly to the opt1 gateway if you don't exclude it.

    You also don't need outbound NAT for OPT1 (unless you need advanced outbound nat for anything special). pfSense creates NAT automatically for every interface tha has a gateway set.

    Also upgrade to RC2e please: http://forum.pfsense.org/index.php/topic,1820.msg10603.html#msg10603



  • I upgraded to RC2e and teseted again. But still it does not work. I removed the outbound NAT. And I tested with both of default gateway and OPT1 gateway in LAN rule. FYI, I used PCEngines' WRAP.

    If you have time, could you test it again at your side? I appreciate your help.

    Thank you.



  • Just got a confirmation at IRC this weekend from somebody who has a 5 WAN setup and his IPSEC running at OPT1. I'll maybe test it again this evening.



  • Did you test it? I tested it with RC2g again. But it doesn't work.



  • Unfortunately I have to say it failed for me in my test. We had it working at the hackathon. There are chances that the connection at OPT can only be used if the other end is bringing up the tunnel (this is waht I tested at the hackathon). What I tried yesterday in my lab at home was to establish a tunnel between 2 pfSense with the OPT interfaces at each box as endpoints. We'll have to look into it and see what we can do.



  • It's not a good news. But many thanks for your testing.

    Today, I updated pfsense to RC2h. And I made some tests and found some strange things. I hope it will help you to find the problem on IPSec at OPT1.

    1. I disabled the IPSec and made below two tests, a and b.
    a. DHCP on WAN and OPT1 - I can access Internet through OPT1 when I leave the LAN rule at default gateway.
    b. Static on WAN and OPT1 - I cannot access Internet through OPT1 when I leave the LAN rule at default gateway. But I can access Internet after I change the LAN rule's gateway to OPT1's gateway.

    2. I enabled the IPSec at OPT1.
    a. DHCP on WAN and OPT1 with the LAN rule at default gateway - I cannot even see SPD on IPSec staus page.
    b. Static on WAN and OPT1 with the LAN rule at default gateway - I cannot access to Internet. But I can see SPD on IPSec staus page and I found some IPSec logs that IPSec tried to establish tunnel and it failed. Below is the IPSec log.

    Sep 3 02:21:57 racoon: ERROR: phase1 negotiation failed due to time up. 28cde7f46500a3aa:0000000000000000
    Sep 3 02:21:28 racoon: INFO: delete phase 2 handler.
    Sep 3 02:21:28 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 210.109.xx.xx[0]->210.106.XX.XX[0]
    Sep 3 02:20:57 racoon: phase1(agg I msg1): 0.102666
    Sep 3 02:20:57 racoon: oakley_dh_generate(MODP768): 0.089224
    Sep 3 02:20:57 racoon: INFO: begin Aggressive mode.
    Sep 3 02:20:57 racoon: INFO: initiate new phase 1 negotiation: 210.106.xx.xx[500]<=>210.109.xx.xx[500]
    Sep 3 02:20:57 racoon: INFO: IPsec-SA request for 210.109.xx.xx queued due to no phase1 found.

    c. Static on WAN and OPT1. I changed the LAN rule's gateway OPT1's gateway - Now I can access to Internet through OPT1. And I can see SPD on IPSec status page. But I cannot find any logs that IPSec tried to establish tunnel even after I ping to remote subnet.

    For more accurate test, all tests was made when WAN disconneted.

    Thank you.


Locked