Newbie - Will the following work (Voadfone 3G Natted IP)



  • Hi All

    Hope someone can help with this one.

    I need to create vpn tunnels from mobile 3G (natted IP on connection from Vodafone UK) Sarian/DIGI routers which will have IP devices connected to it.

    I have pfsense up and running (although behind a SKY broadband connection on a netgear dg834g) default DMZ is enabled to the PFsense server and DYNdns on pfsense enabled with my dynamic SKY WAN IP

    I believe aggressive mode and NAT-T must be used for this configuration which is available on the sarian and pfsense2.0.

    If it will work is there any guides available specifically for this sort of enviroment.

    Basic layout upto now

    SKY WAN IP –----> NETGEARDG834G (192.168.1.1)---- DMZ Enabled ----->PFSENSE WAN(192.168.1.250)

    PFSENSE LAN (192.168.5.254) -------MONITORING DEVICE (192.168.5.200)

    The other thing i think i should add is that all devices on the 192.168.1.x range are bridged from the wireless side of the DG834 so all connected devices in the 834 show the same MAC address will this cause problems?

    Also how can i remote access the PFSENSE webgui from the WAN side

    Thanks for reading



  • …....Could somebody please decipher this log for me and tell me whats going on

    thanks

    aaron


    Jun 18 23:32:29 racoon: INFO: begin Aggressive mode.
    Jun 18 23:32:29 racoon: INFO: received Vendor ID: DPD
    Jun 18 23:32:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jun 18 23:32:29 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jun 18 23:32:29 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jun 18 23:32:29 racoon: [212.183.128.111] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    Jun 18 23:32:29 racoon: INFO: Adding remote and local NAT-D payloads.
    Jun 18 23:32:29 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[28444] with algo #2
    Jun 18 23:32:29 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
    Jun 18 23:32:30 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.111[50421]<->192.168.1.16[4500]
    Jun 18 23:32:30 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
    Jun 18 23:32:30 racoon: INFO: NAT-D payload #0 doesn't match
    Jun 18 23:32:30 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[50421] with algo #2
    Jun 18 23:32:30 racoon: INFO: NAT-D payload #1 doesn't match
    Jun 18 23:32:30 racoon: INFO: NAT detected: ME PEER
    Jun 18 23:32:30 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.111[50421] spi:13badf3600251bd6:31d53ca9c320ccc3
    Jun 18 23:32:30 racoon: [212.183.128.111] ERROR: delete payload with invalid doi:0.
    Jun 18 23:32:30 racoon: INFO: purging ISAKMP-SA spi=13badf3600251bd6:31d53ca9c320ccc3.
    Jun 18 23:32:30 racoon: INFO: purged ISAKMP-SA spi=13badf3600251bd6:31d53ca9c320ccc3.
    Jun 18 23:32:31 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.111[50421] spi:13badf3600251bd6:31d53ca9c320ccc3
    Jun 18 23:32:40 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.111[28444]
    Jun 18 23:32:40 racoon: INFO: begin Aggressive mode.
    Jun 18 23:32:40 racoon: INFO: received Vendor ID: DPD
    Jun 18 23:32:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jun 18 23:32:40 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jun 18 23:32:40 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jun 18 23:32:40 racoon: [212.183.128.111] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    Jun 18 23:32:40 racoon: INFO: Adding remote and local NAT-D payloads.
    Jun 18 23:32:40 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[28444] with algo #2
    Jun 18 23:32:40 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
    Jun 18 23:32:41 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.111[50421]<->192.168.1.16[4500]
    Jun 18 23:32:41 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jun 18 23:32:41 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
    Jun 18 23:32:41 racoon: INFO: NAT-D payload #0 doesn't match
    Jun 18 23:32:41 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[50421] with algo #2
    Jun 18 23:32:41 racoon: INFO: NAT-D payload #1 doesn't match
    Jun 18 23:32:41 racoon: INFO: NAT detected: ME PEER
    Jun 18 23:32:41 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.111[50421] spi:f0d9c600ac9fd1db:071b7be39ed28be6
    Jun 18 23:32:50 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.111[28444]
    Jun 18 23:32:50 racoon: INFO: begin Aggressive mode.
    Jun 18 23:32:50 racoon: INFO: received Vendor ID: DPD
    Jun 18 23:32:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jun 18 23:32:50 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jun 18 23:32:50 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jun 18 23:32:50 racoon: [212.183.128.111] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    Jun 18 23:32:50 racoon: INFO: Adding remote and local NAT-D payloads.
    Jun 18 23:32:50 racoon: [212.183.128.111] INFO: Hashing 212.183.128.111[28444] with algo #2
    Jun 18 23:32:50 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2



  • Hi frank,

    im not sure i understand ur setup.

    1. why u do not replace netgear with pfsense?

    DMZ is enabled to the PFsense server and DYNdns on pfsense enabled with my dynamic SKY WAN IP

    I recommend u not to use dynamic ips with IPSEC, u will get problems…tunnels sometimes not getting up after IP change (Site to Site).
    Depending on ur Produkt u can order fixed ip from provider.

    3.

    I need to create vpn tunnels from mobile 3G (natted IP on connection from Vodafone UK) Sarian/DIGI routers which will have IP devices connected to it.

    Roadwarrior connections are possible but site to site dont work (tested with Vodafone Germany).

    4.

    [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.111[28444]

    I still dont know what u doing…more detail plz.

    sarian Router -----internet-----> Netgear ----> pfsense

    Is this correct? U wanna create VPN between sarian and pfsense?

    I believe aggressive mode and NAT-T must be used for this configuration which is available on the sarian and pfsense2.0.

    Remember u will have no luck with site to site config! Vodafone UMTS networks are not reachable from external networks.

    The sarian router need to act as a mobile client (i know its possible with Cisco devices).
    I googled for some sarian howtos and it seems there is only Site to Site possible.

    Cya



  • Hi thanks for the reply

    My current test setup is on SKY Broadband UK - they only supply a dynamic IP (The finial installation will be on a Staic IP from another provider)

    Basically we want to have IP CCTV cameras out in the field and let the sarian 3g router initiate the tunnel to the pfsense host
    I have spoken to Sarian and they said any VPN Server supporting NAT-T and aggresive mode should respond to the NATted Vodafone IP.

    Im wondering looking at the logs i posted it seems the pfsense (WAN IP 192.168.1.16)is getting stuck going back out through the netgear router 192.168.1.1 even though DMZ is enabled on it. Is this correct??  I was looking at getting a router that supports bridge mode which i can go straight into the pfsense and let it do the DHCP/NAT etc.

    Any further help would be appreciated cheers



  • Hi,

    I have spoken to Sarian and they said any VPN Server supporting NAT-T and aggressive mode should respond to the NATted Vodafone IP.

    hmm i ll test it tomorrow with 2 pfsense boxes (1 with adsl and 1 with umts). I never tested with aggressive mode.
    But i think u cant use site to site on pfsense because u need an valid remote peer ip address otherwise phase 1 will always fail.

    Im wondering looking at the logs i posted it seems the pfsense (WAN IP 192.168.1.16)is getting stuck going back out through the netgear router 192.168.1.1 even though DMZ is enabled on it. Is this correct??

    U still need a real portforward. Be careful with netgear…look at documentation what "dmz on netgear" really means.

    I was looking at getting a router that supports bridge mode which i can go straight into the pfsense and let it do the DHCP/NAT etc.

    Search for pppoe passthrough on netgear.

    The easyest way is to get the netgear in "modem mode". Activate pppoe passthrough mode and set up the pppoe connection on pfsense.

    We dont need to analyse ipsec logs if we dont know if ur dmz setup works.

    U posted logs…what is ur ipsec config on pfsense?

    cya



  • Cheers spiritbreaker

    Another log for you to look at :)

    I have now got the sarian router VPN tunnel up but cant ping any remote clients etc.  The log shows Phase 2 failed i have tried googling the error messages but no luck with any good answers.

    Jun 19 17:30:13 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.9[11637]
    Jun 19 17:30:13 racoon: INFO: begin Aggressive mode.
    Jun 19 17:30:13 racoon: INFO: received Vendor ID: DPD
    Jun 19 17:30:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jun 19 17:30:13 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jun 19 17:30:13 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jun 19 17:30:13 racoon: [212.183.128.9] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    Jun 19 17:30:13 racoon: INFO: Adding remote and local NAT-D payloads.
    Jun 19 17:30:13 racoon: [212.183.128.9] INFO: Hashing 212.183.128.9[11637] with algo #1
    Jun 19 17:30:13 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #1
    Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.9[22383]<->192.168.1.16[4500]
    Jun 19 17:30:14 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #1
    Jun 19 17:30:14 racoon: INFO: NAT-D payload #0 doesn't match
    Jun 19 17:30:14 racoon: [212.183.128.9] INFO: Hashing 212.183.128.9[22383] with algo #1
    Jun 19 17:30:14 racoon: INFO: NAT-D payload #1 doesn't match
    Jun 19 17:30:14 racoon: INFO: NAT detected: ME PEER
    Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.9[22383] spi:7f414c4ae95afd07:9c1ca4e1693af978
    Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.9[22383]
    Jun 19 17:30:14 racoon: [212.183.128.9] INFO: received INITIAL-CONTACT
    Jun 19 17:30:14 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in****
    Jun 19 17:30:14 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Jun 19 17:30:14 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    Jun 19 17:30:34 racoon: ERROR: libipsec failed send update (No algorithm specified)
    Jun 19 17:30:34 racoon: ERROR: pfkey update failed.
    Jun 19 17:30:34 racoon: [212.183.128.9] ERROR: failed to process ph2 packet (side: 1, status: 8).
    Jun 19 17:30:34 racoon: [212.183.128.9] ERROR: phase2 negotiation failed.
    Jun 19 17:39:30 racoon: [212.183.128.9] ERROR: Wrong DPD sequence number (3743; last_ack=3743, seq=3743).

    Thanks for your time



  • Hi,

    last try.. plz post ur ipsec parameters. What remote peer u define on pfsense site?

    Use 3DES / Sha1 for best compatibility in phase 2

    cya



  • Sorry  ;)

    Screenshots attached

    cheers

    ![pfsense ipsec overview.jpg](/public/imported_attachments/1/pfsense ipsec overview.jpg)
    ![pfsense ipsec overview.jpg_thumb](/public/imported_attachments/1/pfsense ipsec overview.jpg_thumb)
    ![pfsense phase2.jpg](/public/imported_attachments/1/pfsense phase2.jpg)
    ![pfsense phase2.jpg_thumb](/public/imported_attachments/1/pfsense phase2.jpg_thumb)
    ![pfsense Tunnel Page1.jpg](/public/imported_attachments/1/pfsense Tunnel Page1.jpg)
    ![pfsense Tunnel Page1.jpg_thumb](/public/imported_attachments/1/pfsense Tunnel Page1.jpg_thumb)
    ![pfsense tunnel page2.jpg](/public/imported_attachments/1/pfsense tunnel page2.jpg)
    ![pfsense tunnel page2.jpg_thumb](/public/imported_attachments/1/pfsense tunnel page2.jpg_thumb)



  • Sarian Screenshots

    ![sarian ike config.JPG](/public/imported_attachments/1/sarian ike config.JPG)
    ![sarian ike config.JPG_thumb](/public/imported_attachments/1/sarian ike config.JPG_thumb)
    ![sarian ipsec page1.JPG](/public/imported_attachments/1/sarian ipsec page1.JPG)
    ![sarian ipsec page1.JPG_thumb](/public/imported_attachments/1/sarian ipsec page1.JPG_thumb)
    ![sarian ipsec page2.JPG](/public/imported_attachments/1/sarian ipsec page2.JPG)
    ![sarian ipsec page2.JPG_thumb](/public/imported_attachments/1/sarian ipsec page2.JPG_thumb)
    ![sarian ipsec status.JPG](/public/imported_attachments/1/sarian ipsec status.JPG)
    ![sarian ipsec status.JPG_thumb](/public/imported_attachments/1/sarian ipsec status.JPG_thumb)



  • Hi,

    u need to create a remote user on pfsense.

    goto System -> usermanager

    create user eg: sarian3g with ipsec key, effective previleges: assign to all groups with "USER - xxxxx"

    pfsense + sarian switch to ESP

    pfsense p1:
    mode: aggressive
    my identifier: distinguished name: pfsense
    3DES/Sha1
    lifetime: 28800
    play with proposal checking option

    pfsense p2:
    mode tunnel
    protocoll ESP
    3DES/Sha1
    lifetime 3600

    goto advanced-> Miscellaneous -> uncheck " prefer oder sa" and check racoon debug mode
    goto Status: System logs: Settings change number of logentries to >= 500

    sarian:

    change p1 and p2 parameters like pfsense
    peer id: pfsense
    our id: sarian3g
    send our id as FQDN: yes
    u need to define preshared key of sarian3g in ur config
    change duration (kb) to 0
    local subnet adress: 192.168.0.0/255.255.255.0
    remote subnet: 192.168.5.0/255.255.255.0

    cya



  • Thanks will give it all a try - i do have users already setup but wil double check there settings

    thanks again



  • Hi Mate

    done all your settings tunnel is coming up but still no pinging from either side of lan/wan port

    logs below

    un 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.40[6005] spi:b429387f02bef23c:7a681eab5df9de76
    Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.40[6005]<->192.168.1.16[4500]
    Jun 19 22:03:57 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
    Jun 19 22:03:57 racoon: INFO: NAT-D payload #0 doesn't match
    Jun 19 22:03:57 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[6005] with algo #2
    Jun 19 22:03:57 racoon: INFO: NAT-D payload #1 doesn't match
    Jun 19 22:03:57 racoon: INFO: NAT detected: ME PEER
    Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.40[6005] spi:f53921c972bc9d6e:ea90a881ec3f5a8c
    Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.40[6005]
    Jun 19 22:03:57 racoon: [212.183.128.40] INFO: received INITIAL-CONTACT
    Jun 19 22:03:57 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
    Jun 19 22:03:57 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Jun 19 22:03:57 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    Jun 19 22:03:57 racoon: ERROR: libipsec failed send update (No algorithm specified)
    Jun 19 22:03:57 racoon: ERROR: pfkey update failed.
    Jun 19 22:03:57 racoon: [212.183.128.40] ERROR: failed to process ph2 packet (side: 1, status: 8).
    Jun 19 22:03:57 racoon: [212.183.128.40] ERROR: phase2 negotiation failed.
    Jun 19 22:03:58 racoon: [212.183.128.40] ERROR: delete payload with invalid doi:0.
    Jun 19 22:03:58 racoon: INFO: purging ISAKMP-SA spi=f53921c972bc9d6e:ea90a881ec3f5a8c.
    Jun 19 22:03:58 racoon: INFO: purged ISAKMP-SA spi=f53921c972bc9d6e:ea90a881ec3f5a8c.
    Jun 19 22:03:59 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 192.168.1.16[4500]-212.183.128.40[6005] spi:f53921c972bc9d6e:ea90a881ec3f5a8c
    Jun 19 22:05:18 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 192.168.1.16[500]<=>212.183.128.40[24061]
    Jun 19 22:05:18 racoon: INFO: begin Aggressive mode.
    Jun 19 22:05:18 racoon: INFO: received Vendor ID: DPD
    Jun 19 22:05:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jun 19 22:05:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Jun 19 22:05:18 racoon: INFO: received Vendor ID: CISCO-UNITY
    Jun 19 22:05:18 racoon: [212.183.128.40] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
    Jun 19 22:05:18 racoon: INFO: Adding remote and local NAT-D payloads.
    Jun 19 22:05:18 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[24061] with algo #2
    Jun 19 22:05:18 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[500] with algo #2
    Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: NAT-T: ports changed to: 212.183.128.40[60021]<->192.168.1.16[4500]
    Jun 19 22:05:20 racoon: [192.168.1.16] INFO: Hashing 192.168.1.16[4500] with algo #2
    Jun 19 22:05:20 racoon: INFO: NAT-D payload #0 doesn't match
    Jun 19 22:05:20 racoon: [212.183.128.40] INFO: Hashing 212.183.128.40[60021] with algo #2
    Jun 19 22:05:20 racoon: INFO: NAT-D payload #1 doesn't match
    Jun 19 22:05:20 racoon: INFO: NAT detected: ME PEER
    Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 192.168.1.16[4500]-212.183.128.40[60021] spi:bb1ef0750c603600:79bf16d2d4d3203b
    Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 192.168.1.16[4500]<=>212.183.128.40[60021]
    Jun 19 22:05:20 racoon: [212.183.128.40] INFO: received INITIAL-CONTACT
    Jun 19 22:05:20 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
    Jun 19 22:05:20 racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
    Jun 19 22:05:20 racoon: INFO: Adjusting peer's encmode UDP-Tunnel(61443)->Tunnel(1)
    Jun 19 22:05:21 racoon: ERROR: libipsec failed send update (No algorithm specified)
    Jun 19 22:05:21 racoon: ERROR: pfkey update failed.
    Jun 19 22:05:21 racoon: [212.183.128.40] ERROR: failed to process ph2 packet (side: 1, status: 8).
    Jun 19 22:05:21 racoon: [212.183.128.40] ERROR: phase2 negotiation failed.



  • One other thing i should mention in the sarian ESP Encryption level s either off or null cant choose 3des etc



  • Update

    Got 3des esp encryption enabled on the sarian, tunnel is up and works.

    Only thing is i can ping and bring up devices on the sarian from the pfsense lan but cant connect/ping to any devices from the sarian lan to the pfsense lan

    Any ideas??

    Thanks



  • hi,

    u create ipsec rule on pfsense?

    Are there any blocking events on enc0?

    cya



  • Hi SB

    Thanks fro reply and help again.

    Sorry might be a daft ? what is enc0? :-[

    IPSec rules created subnets are PFS 192.168.5.0 sarian 192.168.0.0 should the gateways be set the same ie pfs 192.168.5.254 sarian 0.254 (this is now the ip of the sarian LAN port/config port)

    Thanks again



  • Hi,

    enc0 is the pfsense internal ipsec adapter. if incoming vpn traffig get blocked u see firewall blocking events on enc0 interface.

    ur IPsec rule looks like:

    Proto      Source                  Port      Destination                            Port          Gateway      Queue
    *          192.168.5.0/24      *              LAN net (192.168.0.0/24)          *                  *            none

    Only thing is i can ping and bring up devices on the sarian from the pfsense lan but cant connect/ping to any devices from the sarian lan to the pfsense lan

    Too much for me :D

    is this right?

    When tunnel comes up you..

    sarian site

    ..cant ping pfsense lan ip
    ..cant ping device in pfsense network

    pfsense site:

    …can ping sarian lan ip
    ...can ping device in sarian network

    plz post racoon ipsec-sa establishment.. is there something similar on sarian?

    cya



  • apologies for being a pain  ;D

    Sorted it now - checked firewall logs pings being denied from sarian to pfsense added easy rule works a dream.

    I'll get there in the end :)

    thanks again



  • Hi Folks

    Struggling again :)

    Having got multiple mobile clients running with the sarian 3g routers, and i can see devices from sarian A to PFSense and vice versa same for sarian B and C.  What i cant do is talk from Sarian A - B, A - C, C - B etc the routers are on 192.168.6.0, 7.0, and 8.0 pfsense is 192.168.5.0

    Checked firewall logs nothing comes through when i try and ping sarian to sarian

    Any help again appreciated

    Cheers



  • Hi,

    this is by design^^ u cant route IPSEC.

    What u have to do is to create multiple phase 2 entrys on Pfsense and sarians.

    Have a look at this example:

    Each Sarian has a IPSEC Tunnel to ur central pfsense. Sarian A cant reach Sarian B network because there is no route.

    pfsense
                  192.168.5.0
                    |           |
                    |           |
                    |           |
             Sarian A      Sarian B
         192.168.6.0     192.168.7.0

    Solution:
    IPSEC Tunnel Pfsense <-> sarian A

    Pfsense:
    add phase 2 like this:

    localnet: 192.168.7.0/24
    remotenet: 192.168.6.0/24
    use same encryption as ur first phase 2 entry.

    Sarian A:

    i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.

    localnet: 192.168.6.0/24
    remotenet: 192.168.7.0/24

    IPSEC Tunnel Pfsense <-> sarian B

    Pfsense:
    add phase 2 like this:

    localnet: 192.168.6.0/24
    remotenet: 192.168.7.0/24
    use same encryption as ur first phase 2 entry.

    Sarian B:

    i dont know if sarian can have a second phase 2…but u can try to add a second tunnel with the same shared key...this should work.

    localnet: 192.168.7.0/24
    remotenet: 192.168.6.0/24

    At the end create fireweallrules on pfsense to allow traffic between sarian A und B and vice versa...thats it.

    If u have many sarians to connect each other u need to combine networks to minimize phase 2 entries otherwise there is much to configure.

    good luck

    cya


Locked