IPSec to USG behind NAT

tompark

Hi All,

I have been testing a configuration with a Unifi USG Ultra which is sat behind a NAT (for testing this is behind a PFSense Firewall with ports 500 and 4500 forwarded) as a location I am working on setting up only provides a ISP Router with no modem mode :(.

I have configured the IPSec tunnel on PFSense as follows;

The identier for the remote USG is setup to be the local IP (10.2.2.5). However the connection seems to hang then get destoryed (logs have been attached).

For purposes of uploading the logs I have changed the Public IP's as follows;

PFSense (local) = 100.1.0.161
NAT IP to USG (behind second PFSense) = 100.0.0.139
USG Internal IP = 10.2.2.5
USG Subnet = 192.168.10.0/26

Export of logs: IPSecLogs.zip

It looks to be as if the connection between the USG and the PFSense I am connecting too, timesout. Is there a way that I can easierly check the traffic is being forwarded by the PFSense firewall?

Any insight into why this might not be work or if there is a way of testing connectivity then that would be amazing.

Once I have this working, I will write up a guide and leave it here on the forum just in case anyone else is attempting a similar setup.

Regards,
Tom

michmoor

@tompark said in IPSec to USG behind NAT:

It looks to be as if the connection between the USG and the PFSense I am connecting too, timesout. Is there a way that I can easierly check the traffic is being forwarded by the PFSense firewall?

You can check pftop to see the state table. Doc is here