Forward IPSec to another firewall

mario01 · May 13, 2011, 2:20 PM

Hi,

I try to forward IPSEC traffic over my pfsense witch is connected to WAN to an watchguard firewall. I want to connect from outside with IPSEC-Clients to the watchguard-device over the pfsense. I use the latest build of v2.

When using the watchguard device directly on WAN (PPPEO) anything works fine.

I made forwarding for TCP 4500, UDP 500 and ESP to the vpn-firewall, but i doesn´t connect.

Did anyone have an idea.

Regards, Mario

mario01 · May 16, 2011, 2:01 PM

Hello again,

I asked also watchguard and they told me:

"You will need to allow udp 4500, udp 500, ah, and esp. If things are not being forwarded properly, then you might want to look at the upstream firewall to verify that things are being forwarded properly."

But how to forward ah = authentication header, is it necessary or does it automaticly?

Mario

spiritbreaker · May 24, 2011, 6:45 PM

Hi,

is ur watchguard part of LAN or separated in a DMZ? How much interfaces are used on Watchguard? Is something behind watchguard Firewall?

Does ur setup looks like this?:

Internet –-- (WAN) pfsense (LAN) ------- Watchguard
|
--- Clients

Normal way is to use a second public ip on PFsense WAN Side (Virtual IP) to forwarding traffic to Watchguard Firewall, i use it that way.

Because of pppoe ur are limited..and u cant use ipsec on pfsense itself!

Try this:

1. U need to disable all IPSEC Services on PfSense.
2. Goto Firewall -> NAT -> Portforward -> Create Rules

First:

Protokoll: UDP
Interface: WAN
Destination: WAN_Address
Destination Port Range: 500 (isakmp)
Redirect Target IP: <watchguard>Second:

Protokoll: UDP
Interface: WAN
Destination: WAN_Address
Destination Port Range: 4500 (NAT-T)
Redirect Target IP: <watchguard>3. Make sure Watchguard default route is set to pfsense.
4. Make sure Watchguard Ipsec Service listen on interface wich is connected to pfsense network (LAN).
5. Check PfSense Firewall Log for blocking events on Lan side.

cya</watchguard></watchguard>

mario01 · May 23, 2011, 6:39 AM

Hi spiritbreaker,

thanks for your answer. Yes the WG is behind the pfsense on LAN-Side.

I used the following rules and it worked:

WAN UDP * * WAN address 4500 (IPsec NAT-T) 192.168.200.10 *

WAN UDP * * WAN address 500 (ISAKMP) 192.168.200.10 *

WAN ESP * * WAN address * 192.168.200.10 *

spiritbreaker · May 24, 2011, 6:53 PM

Hi,

ESP Traffic is encapsulated by UDP Port 4500. So ur third rule should be unnecessary.

U can check it by activating logging on third rule. Then u can check firewall log to determine if its really used.

cya