IPSEC on Dual-WAN 2.0RC1 box to Firebox Edge X
-
I am trying to drop in a PFsense 2.0RC1 box, to replace a Firebox Edge X (site-to-site IPSEC VPN), but I am having trouble with only one-way communication through the tunnel. On the PFsense box, I replicated the Phase 1 & Phase 2 settings from the original Firebox - I made no changes on the remote Firebox. The IPSEC tunnel appears to be created successfully in the firewall system logs, and I've added a firewall rule under the IPSEC tab to allow all traffic (any protocol, any source & any destination). I would like all IPSEC traffic to go out through OPT1, and I've also setup Firewall Rules->Advanced Features->Gateway:OPT1
Interfaces:
LAN: 192.168.1.1
WAN: 71.130.xx.xx, PPPoE (DSL line 1, bridged modem), default gateway,
OPT1: 99.22.xx.xx, PPPoE (DSL line 2, bridged modem)Remote Firebox IP: 71.216.xx.xx
Remote LAN subnet: 192.168.100.0/24The Phase 2 tunnel is set from Local network:"LAN subnet" to Remote network:"192.168.100.0/24".
I've searched several posts on the forum already, and have tried these steps. Here are a few observations:
1.) From a workstation on the local subnet, I can ping the remote Firebox gateway (192.168.100.1) successfully, and access the web configuration page of the remote Firebox.
2.) From a workstation on the remote subnet, I cannot ping the local pfsense gateway (192.168.1.1).
3.) From the shell on the local pfsense box itself, I cannot ping the remote Firebox gateway. Traceroute was going out the WAN gateway, not OPT1.
4.) I switched the default gateway on the pfsense box to OPT1. Traceroute was going out through the OPT1 gateway, but still cannot find the remote Firebox gateway through the IPSEC tunnel.
5.) I tried disabling auto-added VPN rules under System->Advanced->Firewall/NAT, with no success.
6.) I tried adding a static route from LAN subnet (192.168.1.0/24) to (192.168.100.0/24), with no success.Any further suggestions would be very helpful - thank you!
-
Well a quick update - I double-checked all settings, and realized that the Lifetime in Phase 2 was off - silly mistake.
I left auto-added VPN rules on, removed all static routes, and added firewall rules for IPSEC (pass, any, any).
From the shell on the PFsense box itself, I still cannot ping the remote Firebox (192.168.100.1), but a tcpdump of tunnel enc0 shows that it is passing traffic just fine both ways. I confirmed that workstations on the remote subnet have access to the local subnet. Not sure if this is really an issue.
Hope this helps anybody out.
-
If it passes traffic between the local nets but not from the firewall, it sounds like this:
http://doc.pfsense.org/index.php/Why_can't_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F -
Thanks for the tip, that did the trick! :D
