Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Act as only responder IPSec tunnel endpoint

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maurodx
      last edited by

      Hi all,
      i'm ready to try pfSense in order to replace a not working configuration with a Netgear FVS338.

      Basically I have 17 remote router UMTS that have to tunnel each local network to my central network.

      Central network behind Netgear (will be pfSense)
      192.168.1.0
      255.255.255.0

      Remote networks
      10.0.xxx.0
      255.255.255.0
      with xxx from 1 to 17

      I have dynamic IPs on UMTS routers: Netgear permit to configure phase 1 as "Responder" in order to not specify remote gateway IP.

      How can I do this with pfSense?

      I can't go with mobile clients I suppose because I have to access remote local networks.

      Thanks

      1 Reply Last reply Reply Quote 0
      • S
        spiritbreaker
        last edited by

        Hi,

        u need to use mobilconfig because umts networks are not reachable from external networks.

        Example for 1 Site:

        1. central pfsense:

        gote system/usermanager
        create usergroup eg. remoteaccess with privileges: User - VPN - IPsec xauth Dialin

        create 17 user in usermanager with preshared keys eg. site1 - site17, add to group remoteaccess,

        goto ipsec -> mobile clients -> enable ike mobile extension -> save

        create phase 1
        create phase 2

        create Firewallrule for each mobile subnet on ipsec tab

        eg: allow any traffic from subnet eg. 10.0.1.0/24 to 192.168.1.0/24

        or one for all: allow any traffic from subnet 10.0.0.0/19 to 192.168.1.0/24

        ![central_System User Manager.jpg](/public/imported_attachments/1/central_System User Manager.jpg)
        ![central_System User Manager.jpg_thumb](/public/imported_attachments/1/central_System User Manager.jpg_thumb)
        ![central_IPsec Mobile.jpg](/public/imported_attachments/1/central_IPsec Mobile.jpg)
        ![central_IPsec Mobile.jpg_thumb](/public/imported_attachments/1/central_IPsec Mobile.jpg_thumb)
        central_phase1.jpg
        central_phase1.jpg_thumb
        ![central_Phase 2.jpg](/public/imported_attachments/1/central_Phase 2.jpg)
        ![central_Phase 2.jpg_thumb](/public/imported_attachments/1/central_Phase 2.jpg_thumb)
        ![central_IPsec Keys.jpg](/public/imported_attachments/1/central_IPsec Keys.jpg)
        ![central_IPsec Keys.jpg_thumb](/public/imported_attachments/1/central_IPsec Keys.jpg_thumb)

        Pfsense running at 11 Locations
        -mobile OPENVPN and IPSEC
        -multiwan failover
        -filtering proxy(squidguard) in bridgemode with ntop monitoring

        1 Reply Last reply Reply Quote 0
        • S
          spiritbreaker
          last edited by

          part 2:

          umts pfsense:

          create phase 1
          my identifier: keyID tag = <user>preshared key = <userkey>create phase 2

          create ipsec  firewallrule:

          eg: allow any traffic from central subnet 192.168.1.0/24 to eg. 10.0.1.0/24

          ping ur central pfsense lan ip, check ur ipsec logs

          If ur umts routers are not pfsense u need to translate these settings. Umts routers need to support nat-t.

          cya

          ![umts_Phase 1.jpg](/public/imported_attachments/1/umts_Phase 1.jpg)
          ![umts_Phase 1.jpg_thumb](/public/imported_attachments/1/umts_Phase 1.jpg_thumb)
          ![umts_Phase 2.jpg](/public/imported_attachments/1/umts_Phase 2.jpg)
          ![umts_Phase 2.jpg_thumb](/public/imported_attachments/1/umts_Phase 2.jpg_thumb)</userkey></user>

          Pfsense running at 11 Locations
          -mobile OPENVPN and IPSEC
          -multiwan failover
          -filtering proxy(squidguard) in bridgemode with ntop monitoring

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.