Looking for help on installation. Will make a guide afterwards.



  • I am looking for directions on the setup of this scenario. Once I get it all down I want to put together a guide to help everyone out. There are a lot of pieces out there for instructions but not one that covers a scenario in my opinion.

    All network information represent examples and are not real. However, the network settings are intentionally this way so the installation is not as vanilla. Neither PFsense device is the gateway for the WAN network

    If you can let me know what I missed or did wrong then thank you in advance.

    Here we go:

    Main Site:

    WAN Network: 172.32.128.232/29
    WAN Gateway: 172.32.128.238
    LAN Network: 192.168.1.0/24
    LAN Gateway: 192.168.1.1
    PFsense WAN address: 172.32.128.236
    PFsense LAN address: 192.168.1.1
    MainDC1 (AD/DNS) address: 192.168.1.11

    Colo:

    WAN Network: 100.192.224.240/28
    WAN Gateway: 100.192.224.241
    LAN Network: 192.168.2.0/24
    LAN Gateway: 192.168.2.1
    PFsense WAN address: 100.192.224.248
    PFsense LAN address: 192.168.2.1
    ColoDC1 (AD/DNS) address: 192.168.2.11
    ColoDC2 (AD/DNS) address: 192.168.2.12
    ColoSrv1 (IIS/File services) address: 192.168.2.21  Note:IIS is only for internal access

    Requirement 1 - Need to establish an IPSEC tunnel from the remote site to the colo site
    Requirement 2 - Need to make sure that resources (AD/File Server/IIS) in the colo are accessible from the main site and vice versa

    Firewall rules - <need additional="" help="" here="">Main Site

    IPSEC all open
    WAN UDP 500 all open
    WAN ESP all open
    LAN (Lan Subnet > *) Open

    Colo Site

    IPSEC all open
    WAN UDP 500 all open
    WAN ESP all open
    LAN (Lan Subnet > *) Open

    Static Routes - <need help="" here="">Main Site Device

    Colo Site Device

    IPSEC Info

    Main Site

    Mode: Tunnel
    Interface: WAN
    Local subnet Type: LAN subnet
    Remote subnet: 192.168.2.0/24
    Remote gateway: 100.192.224.248
    Description:  To Colo

    Phase 1 proposal (Authentication)
    Negotiation mode: aggressive
    My identifier: My IP address 
    Encryption algorithm: Blowfish
    Hash algorithm:SHA1
    DH key group: 2
    Lifetime: 28800 seconds
    Authentication method: Pre-shared key
    Pre-Shared Key: examplekey

    Phase 2 proposal (SA/Key Exchange)
    Protocol: ESP 
    Encryption algorithms: Blowfish, Rijndael (AES)
    Hash algorithms: SHA1,MD5
    PFS key group: 2
    Lifetime  seconds: 86400 seconds

    Colo Site

    Mode: Tunnel
    Interface: WAN
    Local subnet Type: LAN subnet
    Remote subnet: 192.168.1.0/24
    Remote gateway: 172.32.128.236
    Description:  To Main Site

    Phase 1 proposal (Authentication)
    Negotiation mode: aggressive
    My identifier: My IP address 
    Encryption algorithm: Blowfish
    Hash algorithm:SHA1
    DH key group: 2
    Lifetime: 28800 seconds
    Authentication method: Pre-shared key
    Pre-Shared Key: examplekey

    Phase 2 proposal (SA/Key Exchange)
    Protocol: ESP 
    Encryption algorithms: Blowfish, Rijndael (AES)
    Hash algorithms: SHA1,MD5
    PFS key group: 2
    Lifetime  seconds: 86400 seconds</need></need>





  • Not really. It only helps to a point. It is generalized.

    This is a scenario here which is much more useful.



  • Well all of the IPSec setups I have done, Req. 2 worked by default, though I had the auto config of VPN rules option enabled.

    What do the logs say? Under Status>System Logs>IPSec VPN



  • I am not there yet. I need help on the static routes for this scenario first.

    But so far the Colo device says:

    Nov 21 03:56:22 racoon: [Self]: INFO: <device wan="" address="">[500] used as isakmp port (fd=15)
    Nov 21 03:56:22 racoon: [Self]: INFO: 1<device lan="" address="">[500] used as isakmp port (fd=14)
    Nov 21 03:56:22 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    Nov 21 03:56:22 racoon: [Self]: INFO: 192.168.5.1 (not sure where this is coming from)[500] used as isakmp port (fd=12)
    Nov 21 03:56:22 racoon: INFO: unsupported PF_KEY message REGISTER

    And here are the Main Site logs:

    Nov 20 08:49:14 racoon: [Self]: INFO: <device wan="" address="">[500] used as isakmp port (fd=15)
    Nov 20 08:49:14 racoon: [Self]: INFO: 1<device lan="" address="">[500] used as isakmp port (fd=14)
    Nov 20 08:49:14 racoon: [Self]: INFO: 127.0.0.1[500] used as isakmp port (fd=13)
    Nov 20 08:49:14 racoon: INFO: unsupported PF_KEY message REGISTER</device></device></device></device>



  • Why do you want static routes? Just cause? It should route automatically via IP address (unless you access them via DNS), otherwise you go to System>Static Routes
    For the entry it would be the devices DNS name and the IP of the device



  • Even when the PFsense devices are not the default gateway? It was my understanding that there had to be static routes in place when they are not.



  • Yes that is true.

    You add it under System>Static Routes



  • What would those entries be in this scenario?



  • So at each location its:
    1: WAN->Router(this is the WAN Network)->pfSenseWAN->pfSenseLAN

    You need to add a static route at the main router that points the network at the main site for the colo to the pfSense box.

    COLO
    Destination Network:192.168.1.0  /24 
    Gateway: 172.32.128.236
    Main Site
    Destination Network: 192.168.2.0  /24
    Gateway: 100.192.224.248



  • This is covered in more depth in the book



  • Still nothing.

    I added the rules on the WAN interface and I still see no activity.



  • this is done on the device that is the default gateway not pfSense.

    If you made the change at this device then see what the IPSec logs say



  • Still no dice. Are these devices flaky when they are running virtually?



  • there are quite a few people running pfSense in a VM (I dont)
    I would suggest doing a traceroute, and looking at the logs on all systems (default gateway, pfSense) as it sounds like the route is not being forwarded/routed to the pfSense system, but the VPN is up.


Log in to reply