Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC on Dual-WAN 2.0RC1 box to Firebox Edge X

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      omq
      last edited by

      I am trying to drop in a PFsense 2.0RC1 box, to replace a Firebox Edge X (site-to-site IPSEC VPN), but I am having trouble with only one-way communication through the tunnel.  On the PFsense box, I replicated the Phase 1 & Phase 2 settings from the original Firebox - I made no changes on the remote Firebox.  The IPSEC tunnel appears to be created successfully in the firewall system logs, and I've added a firewall rule under the IPSEC tab to allow all traffic (any protocol, any source & any destination).  I would like all IPSEC traffic to go out through OPT1, and I've also setup Firewall Rules->Advanced Features->Gateway:OPT1

      Interfaces:
      LAN:  192.168.1.1
      WAN: 71.130.xx.xx, PPPoE (DSL line 1, bridged modem), default gateway,
      OPT1: 99.22.xx.xx, PPPoE (DSL line 2, bridged modem)

      Remote Firebox IP: 71.216.xx.xx
      Remote LAN subnet: 192.168.100.0/24

      The Phase 2 tunnel is set from Local network:"LAN subnet" to Remote network:"192.168.100.0/24".

      I've searched several posts on the forum already, and have tried these steps.  Here are a few observations:
      1.) From a workstation on the local subnet, I can ping the remote Firebox gateway (192.168.100.1) successfully, and access the web configuration page of the remote Firebox.
      2.) From a workstation on the remote subnet, I cannot ping the local pfsense gateway (192.168.1.1).
      3.) From the shell on the local pfsense box itself, I cannot ping the remote Firebox gateway.  Traceroute was going out the WAN gateway, not OPT1. 
      4.) I switched the default gateway on the pfsense box to OPT1.  Traceroute was going out through the OPT1 gateway, but still cannot find the remote Firebox gateway through the IPSEC tunnel.
      5.) I tried disabling auto-added VPN rules under System->Advanced->Firewall/NAT, with no success.
      6.) I tried adding a static route from LAN subnet (192.168.1.0/24) to (192.168.100.0/24), with no success.

      Any further suggestions would be very helpful - thank you!

      1 Reply Last reply Reply Quote 0
      • O
        omq
        last edited by

        Well a quick update - I double-checked all settings, and realized that the Lifetime in Phase 2 was off - silly mistake.

        I left auto-added VPN rules on, removed all static routes, and added firewall rules for IPSEC (pass, any, any).

        From the shell on the PFsense box itself, I still cannot ping the remote Firebox (192.168.100.1), but a tcpdump of tunnel enc0 shows that it is passing traffic just fine both ways.  I confirmed that workstations on the remote subnet have access to the local subnet.  Not sure if this is really an issue.

        Hope this helps anybody out.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          If it passes traffic between the local nets but not from the firewall, it sounds like this:
          http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • O
            omq
            last edited by

            Thanks for the tip, that did the trick!  :D

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.