Looking for help on installation. Will make a guide afterwards.
-
I am looking for directions on the setup of this scenario. Once I get it all down I want to put together a guide to help everyone out. There are a lot of pieces out there for instructions but not one that covers a scenario in my opinion.
All network information represent examples and are not real. However, the network settings are intentionally this way so the installation is not as vanilla. Neither PFsense device is the gateway for the WAN network
If you can let me know what I missed or did wrong then thank you in advance.
Here we go:
Main Site:
WAN Network: 172.32.128.232/29
WAN Gateway: 172.32.128.238
LAN Network: 192.168.1.0/24
LAN Gateway: 192.168.1.1
PFsense WAN address: 172.32.128.236
PFsense LAN address: 192.168.1.1
MainDC1 (AD/DNS) address: 192.168.1.11Colo:
WAN Network: 100.192.224.240/28
WAN Gateway: 100.192.224.241
LAN Network: 192.168.2.0/24
LAN Gateway: 192.168.2.1
PFsense WAN address: 100.192.224.248
PFsense LAN address: 192.168.2.1
ColoDC1 (AD/DNS) address: 192.168.2.11
ColoDC2 (AD/DNS) address: 192.168.2.12
ColoSrv1 (IIS/File services) address: 192.168.2.21 Note:IIS is only for internal accessRequirement 1 - Need to establish an IPSEC tunnel from the remote site to the colo site
Requirement 2 - Need to make sure that resources (AD/File Server/IIS) in the colo are accessible from the main site and vice versaFirewall rules - <need additional="" help="" here="">Main Site
IPSEC all open
WAN UDP 500 all open
WAN ESP all open
LAN (Lan Subnet > *) OpenColo Site
IPSEC all open
WAN UDP 500 all open
WAN ESP all open
LAN (Lan Subnet > *) OpenStatic Routes - <need help="" here="">Main Site Device
Colo Site Device
IPSEC Info
Main Site
Mode: Tunnel
Interface: WAN
Local subnet Type: LAN subnet
Remote subnet: 192.168.2.0/24
Remote gateway: 100.192.224.248
Description: To ColoPhase 1 proposal (Authentication)
Negotiation mode: aggressive
My identifier: My IP address
Encryption algorithm: Blowfish
Hash algorithm:SHA1
DH key group: 2
Lifetime: 28800 seconds
Authentication method: Pre-shared key
Pre-Shared Key: examplekeyPhase 2 proposal (SA/Key Exchange)
Protocol: ESP
Encryption algorithms: Blowfish, Rijndael (AES)
Hash algorithms: SHA1,MD5
PFS key group: 2
Lifetime seconds: 86400 secondsColo Site
Mode: Tunnel
Interface: WAN
Local subnet Type: LAN subnet
Remote subnet: 192.168.1.0/24
Remote gateway: 172.32.128.236
Description: To Main SitePhase 1 proposal (Authentication)
Negotiation mode: aggressive
My identifier: My IP address
Encryption algorithm: Blowfish
Hash algorithm:SHA1
DH key group: 2
Lifetime: 28800 seconds
Authentication method: Pre-shared key
Pre-Shared Key: examplekeyPhase 2 proposal (SA/Key Exchange)
Protocol: ESP
Encryption algorithms: Blowfish, Rijndael (AES)
Hash algorithms: SHA1,MD5
PFS key group: 2
Lifetime seconds: 86400 seconds</need></need>
-
So did this guide here not help?
http://doc.pfsense.org/index.php/VPN_Capability_IPsec
-
Not really. It only helps to a point. It is generalized.
This is a scenario here which is much more useful.
-
Well all of the IPSec setups I have done, Req. 2 worked by default, though I had the auto config of VPN rules option enabled.
What do the logs say? Under Status>System Logs>IPSec VPN
-
I am not there yet. I need help on the static routes for this scenario first.
But so far the Colo device says:
Nov 21 03:56:22 racoon: [Self]: INFO: <device wan="" address="">[500] used as isakmp port (fd=15)
Nov 21 03:56:22 racoon: [Self]: INFO: 1<device lan="" address="">[500] used as isakmp port (fd=14)
Nov 21 03:56:22 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Nov 21 03:56:22 racoon: [Self]: INFO: 192.168.5.1 (not sure where this is coming from)[500] used as isakmp port (fd=12)
Nov 21 03:56:22 racoon: INFO: unsupported PF_KEY message REGISTERAnd here are the Main Site logs:
Nov 20 08:49:14 racoon: [Self]: INFO: <device wan="" address="">[500] used as isakmp port (fd=15)
Nov 20 08:49:14 racoon: [Self]: INFO: 1<device lan="" address="">[500] used as isakmp port (fd=14)
Nov 20 08:49:14 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
Nov 20 08:49:14 racoon: INFO: unsupported PF_KEY message REGISTER</device></device></device></device>
-
Why do you want static routes? Just cause? It should route automatically via IP address (unless you access them via DNS), otherwise you go to System>Static Routes
For the entry it would be the devices DNS name and the IP of the device
-
Even when the PFsense devices are not the default gateway? It was my understanding that there had to be static routes in place when they are not.
-
Yes that is true.
You add it under System>Static Routes
-
What would those entries be in this scenario?
-
So at each location its:
1: WAN->Router(this is the WAN Network)->pfSenseWAN->pfSenseLANYou need to add a static route at the main router that points the network at the main site for the colo to the pfSense box.
COLO
Destination Network:192.168.1.0 /24
Gateway: 172.32.128.236
Main Site
Destination Network: 192.168.2.0 /24
Gateway: 100.192.224.248
-
This is covered in more depth in the book
-
Still nothing.
I added the rules on the WAN interface and I still see no activity.
-
this is done on the device that is the default gateway not pfSense.
If you made the change at this device then see what the IPSec logs say
-
Still no dice. Are these devices flaky when they are running virtually?
-
there are quite a few people running pfSense in a VM (I dont)
I would suggest doing a traceroute, and looking at the logs on all systems (default gateway, pfSense) as it sounds like the route is not being forwarded/routed to the pfSense system, but the VPN is up.