Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Looking for help on installation. Will make a guide afterwards.

    Scheduled Pinned Locked Moved IPsec
    15 Posts 2 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Ilikethisdevice
      last edited by

      I am looking for directions on the setup of this scenario. Once I get it all down I want to put together a guide to help everyone out. There are a lot of pieces out there for instructions but not one that covers a scenario in my opinion.

      All network information represent examples and are not real. However, the network settings are intentionally this way so the installation is not as vanilla. Neither PFsense device is the gateway for the WAN network

      If you can let me know what I missed or did wrong then thank you in advance.

      Here we go:

      Main Site:

      WAN Network: 172.32.128.232/29
      WAN Gateway: 172.32.128.238
      LAN Network: 192.168.1.0/24
      LAN Gateway: 192.168.1.1
      PFsense WAN address: 172.32.128.236
      PFsense LAN address: 192.168.1.1
      MainDC1 (AD/DNS) address: 192.168.1.11

      Colo:

      WAN Network: 100.192.224.240/28
      WAN Gateway: 100.192.224.241
      LAN Network: 192.168.2.0/24
      LAN Gateway: 192.168.2.1
      PFsense WAN address: 100.192.224.248
      PFsense LAN address: 192.168.2.1
      ColoDC1 (AD/DNS) address: 192.168.2.11
      ColoDC2 (AD/DNS) address: 192.168.2.12
      ColoSrv1 (IIS/File services) address: 192.168.2.21  Note:IIS is only for internal access

      Requirement 1 - Need to establish an IPSEC tunnel from the remote site to the colo site
      Requirement 2 - Need to make sure that resources (AD/File Server/IIS) in the colo are accessible from the main site and vice versa

      Firewall rules - <need additional="" help="" here="">Main Site

      IPSEC all open
      WAN UDP 500 all open
      WAN ESP all open
      LAN (Lan Subnet > *) Open

      Colo Site

      IPSEC all open
      WAN UDP 500 all open
      WAN ESP all open
      LAN (Lan Subnet > *) Open

      Static Routes - <need help="" here="">Main Site Device

      Colo Site Device

      IPSEC Info

      Main Site

      Mode: Tunnel
      Interface: WAN
      Local subnet Type: LAN subnet
      Remote subnet: 192.168.2.0/24
      Remote gateway: 100.192.224.248
      Description:  To Colo

      Phase 1 proposal (Authentication)
      Negotiation mode: aggressive
      My identifier: My IP address 
      Encryption algorithm: Blowfish
      Hash algorithm:SHA1
      DH key group: 2
      Lifetime: 28800 seconds
      Authentication method: Pre-shared key
      Pre-Shared Key: examplekey

      Phase 2 proposal (SA/Key Exchange)
      Protocol: ESP 
      Encryption algorithms: Blowfish, Rijndael (AES)
      Hash algorithms: SHA1,MD5
      PFS key group: 2
      Lifetime  seconds: 86400 seconds

      Colo Site

      Mode: Tunnel
      Interface: WAN
      Local subnet Type: LAN subnet
      Remote subnet: 192.168.1.0/24
      Remote gateway: 172.32.128.236
      Description:  To Main Site

      Phase 1 proposal (Authentication)
      Negotiation mode: aggressive
      My identifier: My IP address 
      Encryption algorithm: Blowfish
      Hash algorithm:SHA1
      DH key group: 2
      Lifetime: 28800 seconds
      Authentication method: Pre-shared key
      Pre-Shared Key: examplekey

      Phase 2 proposal (SA/Key Exchange)
      Protocol: ESP 
      Encryption algorithms: Blowfish, Rijndael (AES)
      Hash algorithms: SHA1,MD5
      PFS key group: 2
      Lifetime  seconds: 86400 seconds</need></need>

      1 Reply Last reply Reply Quote 0
      • X
        XIII
        last edited by

        So did this guide here not help?
        http://doc.pfsense.org/index.php/VPN_Capability_IPsec

        -Chris Stutzman
        Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
        Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
        freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
        Check out the pfSense Wiki

        1 Reply Last reply Reply Quote 0
        • I
          Ilikethisdevice
          last edited by

          Not really. It only helps to a point. It is generalized.

          This is a scenario here which is much more useful.

          1 Reply Last reply Reply Quote 0
          • X
            XIII
            last edited by

            Well all of the IPSec setups I have done, Req. 2 worked by default, though I had the auto config of VPN rules option enabled.

            What do the logs say? Under Status>System Logs>IPSec VPN

            -Chris Stutzman
            Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
            Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
            freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
            Check out the pfSense Wiki

            1 Reply Last reply Reply Quote 0
            • I
              Ilikethisdevice
              last edited by

              I am not there yet. I need help on the static routes for this scenario first.

              But so far the Colo device says:

              Nov 21 03:56:22 racoon: [Self]: INFO: <device wan="" address="">[500] used as isakmp port (fd=15)
              Nov 21 03:56:22 racoon: [Self]: INFO: 1<device lan="" address="">[500] used as isakmp port (fd=14)
              Nov 21 03:56:22 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
              Nov 21 03:56:22 racoon: [Self]: INFO: 192.168.5.1 (not sure where this is coming from)[500] used as isakmp port (fd=12)
              Nov 21 03:56:22 racoon: INFO: unsupported PF_KEY message REGISTER

              And here are the Main Site logs:

              Nov 20 08:49:14 racoon: [Self]: INFO: <device wan="" address="">[500] used as isakmp port (fd=15)
              Nov 20 08:49:14 racoon: [Self]: INFO: 1<device lan="" address="">[500] used as isakmp port (fd=14)
              Nov 20 08:49:14 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
              Nov 20 08:49:14 racoon: INFO: unsupported PF_KEY message REGISTER</device></device></device></device>

              1 Reply Last reply Reply Quote 0
              • X
                XIII
                last edited by

                Why do you want static routes? Just cause? It should route automatically via IP address (unless you access them via DNS), otherwise you go to System>Static Routes
                For the entry it would be the devices DNS name and the IP of the device

                -Chris Stutzman
                Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                Check out the pfSense Wiki

                1 Reply Last reply Reply Quote 0
                • I
                  Ilikethisdevice
                  last edited by

                  Even when the PFsense devices are not the default gateway? It was my understanding that there had to be static routes in place when they are not.

                  1 Reply Last reply Reply Quote 0
                  • X
                    XIII
                    last edited by

                    Yes that is true.

                    You add it under System>Static Routes

                    -Chris Stutzman
                    Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                    Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                    freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                    Check out the pfSense Wiki

                    1 Reply Last reply Reply Quote 0
                    • I
                      Ilikethisdevice
                      last edited by

                      What would those entries be in this scenario?

                      1 Reply Last reply Reply Quote 0
                      • X
                        XIII
                        last edited by

                        So at each location its:
                        1: WAN->Router(this is the WAN Network)->pfSenseWAN->pfSenseLAN

                        You need to add a static route at the main router that points the network at the main site for the colo to the pfSense box.

                        COLO
                        Destination Network:192.168.1.0  /24 
                        Gateway: 172.32.128.236
                        Main Site
                        Destination Network: 192.168.2.0  /24
                        Gateway: 100.192.224.248

                        -Chris Stutzman
                        Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                        Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                        freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                        Check out the pfSense Wiki

                        1 Reply Last reply Reply Quote 0
                        • X
                          XIII
                          last edited by

                          This is covered in more depth in the book

                          -Chris Stutzman
                          Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                          Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                          freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                          Check out the pfSense Wiki

                          1 Reply Last reply Reply Quote 0
                          • I
                            Ilikethisdevice
                            last edited by

                            Still nothing.

                            I added the rules on the WAN interface and I still see no activity.

                            1 Reply Last reply Reply Quote 0
                            • X
                              XIII
                              last edited by

                              this is done on the device that is the default gateway not pfSense.

                              If you made the change at this device then see what the IPSec logs say

                              -Chris Stutzman
                              Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                              Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                              freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                              Check out the pfSense Wiki

                              1 Reply Last reply Reply Quote 0
                              • I
                                Ilikethisdevice
                                last edited by

                                Still no dice. Are these devices flaky when they are running virtually?

                                1 Reply Last reply Reply Quote 0
                                • X
                                  XIII
                                  last edited by

                                  there are quite a few people running pfSense in a VM (I dont)
                                  I would suggest doing a traceroute, and looking at the logs on all systems (default gateway, pfSense) as it sounds like the route is not being forwarded/routed to the pfSense system, but the VPN is up.

                                  -Chris Stutzman
                                  Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
                                  Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
                                  freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
                                  Check out the pfSense Wiki

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.