Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple PFsense - IPSEC

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zeon
      last edited by

      Hey guys,
      I am having trouble setting up an IPSEC tunnel from a PFsense that sits behind another PFsense to an external host. As you can see in my diagram, we have 2 PFsense routers. The border router (router 1) has one IPSEC tunnel setup for the local subnet. Now when I try to setup an IPSEC tunnel on Router 2, Router 1 intercepts the IPSEC traffic even though its meant for router 2.

      The other end of the IPSEC tunnel is getting:

      denied udp XXX.234.42.162(500) -> 202.73.206.209(500), 7 packets

      So it looks like router1 isn't allowing the ipsec packets through to router2 even though its all on public IP space.
      network.png
      network.png_thumb

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        you need firewall rules to allow that traffic through where it's getting blocked

        1 Reply Last reply Reply Quote 0
        • Z
          Zeon
          last edited by

          Router 1 already had all ports and IPs completely open to every subnet on Router 2. Last night i upgraded router 1 to PFsense 2.0 and switched to manual NAT and we seem to be getting somewhere.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            You have to disable NAT too via outbound NAT when you're routing public IPs, on all the systems that are routing public IPs.

            1 Reply Last reply Reply Quote 0
            • Z
              Zeon
              last edited by

              @cmb:

              You have to disable NAT too via outbound NAT when you're routing public IPs, on all the systems that are routing public IPs.

              Great - good advice. I have disabled it on both routers.

              Just to summarize to everyone, after upgrading to 2.0 and disabling outbound NAT, IPSEC is passed through from Router1 to Router2.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.