source interface ip wrong
-
Hi all,
I have a tunnel between 2 sites. Recently, one end has changed ISP. and they have gotten a static IP, however i think they do something funky where they map a public IP to a cgnat IP and hand that to the firewall.
The firewall WAN IP is 10.100.69.250, with its gateway being 10.100.69.249 when looking in the console, but when doing a DNS lookup, its got a true public IP address. And the openvpn server running on it works as expected.
The ipsec tunnels on both ends use DNS for resolving the ips that they need to connect to, however as the WAN interface IP is showing in the dashboard as the 10.100.69.250 IP, i suspect that this is why it is not connecting the tunnel.
I have tried changing the identifier settings to a variety of different things, but none of them have changed the "source" that is shown in the console. The actual public IP from the firewall is getting updated in DDNS correctly. i suspect that this "source" is what is getting used as the identifier for the other end and causing the issue.
I have also tried things like responder only and initiator only on each end etc..
-
@jbates58 Is NAT Traversal enabled?
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure-p1.html#advanced-optionsThe router with the private IP will need to connect to the router with the public IP, unless ports can be forwarded to pfSense.
Also My Identifier can be a dynamic DNS hostname, if that helps.
-
This post is deleted! -
@jbates58 The right side connects to the left side?
The listener/server is site B here: https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html#site-b and has a few differences like Child SA Start Action and LifeTime and Child SA Close Action.
I can see one end of a client's tunnel from here, and Dead Peer Detection is off for it; I want to say we did that on both ends but am not sure offhand. On that router we have "Peer identifier" set to the FQDN of the other end.