IPSec endpoint at LAN
Is it not possible to have a IPSec endpoint at the LAN?
I my setup I have public IPs on both WAN and LAN. In pfSense NAT is disabled ("advanced mode" and no rules).
On the LAN-side there is another firewall, and I would like to make a IPSec tunnel from outside the pfSense to the LAN firewall. The LAN firewall is allowed ALL traffic in both ways in pfSense. I have also disabled "Block private networks" on the WAN interface.
The tunnel works fine if I place the VPN client on the LAN (when the traffic doesn't pass thru pfSense), but when I place the VPN client on the outside no tunnel is created. It seems like the LAN firewall tries to answer (it says "responding to Main Mode") but the VPN client doesn't receive the packets, and starts from the begining.
Does anyone have any idea of what's wrong?