Pfsense monowall and IPSEC
-
Thanks:
Just wondering as i am having a issue with some sites as i have been assigned the task of looking after the firewalls.
I have never set up ipsec before and would like to know.
When setting up ipsec do you always use mobile client on the other end (remote site) as tutorial says
-
If you have static IPs at both ends you should set up tunnels at both ends and not use mobile clients. The mobile client tutorial is for a special condition where one end has a dynamic IP. Setting up tunnels at both ends is even easier.
-
Monowall has static ip but everything behind it is DHCP so then if i understand you correctly then it would be set to tunnel at each end instead of mobile on monwall end
-
If the WAN IPs of both ends are static just create the tunnels identically at each end. This way the tunnel can be established from every end. When using the mobile client option it can only be established from the dynamic end to the static one.
-
I have this running at the moment 1 pfsense with 2 static Wan and IPsec on both, one of the tunnels endpoint is a monowall (the one on the OPT1 interface to be exact).
However I have an issue where the tunnel are active but I cannot get traffic through from the Pfsense side, traffic from the monowall will reactivate the tunnel and all is dandy again.
From what I've read sofar Racoon is to blaim for this and until I have a better solution I have a continues ping running from the monowalls end to keep things active. -
Add a static route atthe OPT-Interface through the OPT-Gateway to <remote m0n0="" ip="">/32. I have heard somewhere that this fixes the problem. It seems to handle things correct for incoming connections at OPT-WAN but is not able to go out the OPT-WAN itself as the default gateway is on WAN. If that solves it for you we should consider ding this behind the scenes automatically.</remote>
-
Okay well here it goes.
I am having a problem with the ipsec tunnels in our organization. What is happening is that when connected to the remote site via ipsec our clients emails time out cannot download files but can do anything else normally.
I am running the latest version of pfsense and the remote sites are running the newest release of monwall.
It appears that everything is set correctly. I have played with the MTU and configured it but to no avail. There are static ips at each end and routes are in place. I even tried the suggestion above but no luck.
Very frustrating trying to even retrieve a email that is larger than 5k
would like a few suggestions
Thanks
-
At the m0n0wall try to set "Allow fragmented IPsec packets" at system>advanced.
-
for your info.
Don't know what i am missing
Tried it no go. just set up a ipsec tunnel on 2 different computers over a completely different network and it is responding exactly the same can't receive email, can not download files, cannot remote. it may be my imagineation running away right now but it seems when you first start email program or download their is the first initial indtall then stops hope this helps
-
@Hoba reply7:
Adding this static route will will make the site unreachable from monowall's ip through the WAN ISP in case of a problem with the ISP on OPT1.
I've added the route anyway to find out if this is the solution and will let you know the result. -
for your info.
Don't know what i am missing
Tried it no go. just set up a ipsec tunnel on 2 different computers over a completely different network and it is responding exactly the same can't receive email, can not download files, cannot remote. it may be my imagineation running away right now but it seems when you first start email program or download their is the first initial indtall then stops hope this helps
Are you sure routing is setup correctly back and forth? Besides that it somehow sounds like a mtu issue. Lower mtu's at both WANs (m0n0 and pfSense) to 1300. If that helps raise the values step by step until it breaks again and go back one step. I had a m0n0-pfSense tunnel from work to home for several month and was able to use my outlook at home connecting to the exchange server at the office without issues.
Oh, wait… "Routes are in place"??? You don't need static routes. Only setup the tunnels. The routing is determined by the local and remote LAN of the tunneldefinition.