Act as only responder IPSec tunnel endpoint

  • Hi all,
    i'm ready to try pfSense in order to replace a not working configuration with a Netgear FVS338.

    Basically I have 17 remote router UMTS that have to tunnel each local network to my central network.

    Central network behind Netgear (will be pfSense)

    Remote networks
    with xxx from 1 to 17

    I have dynamic IPs on UMTS routers: Netgear permit to configure phase 1 as "Responder" in order to not specify remote gateway IP.

    How can I do this with pfSense?

    I can't go with mobile clients I suppose because I have to access remote local networks.


  • Hi,

    u need to use mobilconfig because umts networks are not reachable from external networks.

    Example for 1 Site:

    1. central pfsense:

    gote system/usermanager
    create usergroup eg. remoteaccess with privileges: User - VPN - IPsec xauth Dialin

    create 17 user in usermanager with preshared keys eg. site1 - site17, add to group remoteaccess,

    goto ipsec -> mobile clients -> enable ike mobile extension -> save

    create phase 1
    create phase 2

    create Firewallrule for each mobile subnet on ipsec tab

    eg: allow any traffic from subnet eg. to

    or one for all: allow any traffic from subnet to

    ![central_System User Manager.jpg](/public/imported_attachments/1/central_System User Manager.jpg)
    ![central_System User Manager.jpg_thumb](/public/imported_attachments/1/central_System User Manager.jpg_thumb)
    ![central_IPsec Mobile.jpg](/public/imported_attachments/1/central_IPsec Mobile.jpg)
    ![central_IPsec Mobile.jpg_thumb](/public/imported_attachments/1/central_IPsec Mobile.jpg_thumb)

    ![central_Phase 2.jpg](/public/imported_attachments/1/central_Phase 2.jpg)
    ![central_Phase 2.jpg_thumb](/public/imported_attachments/1/central_Phase 2.jpg_thumb)
    ![central_IPsec Keys.jpg](/public/imported_attachments/1/central_IPsec Keys.jpg)
    ![central_IPsec Keys.jpg_thumb](/public/imported_attachments/1/central_IPsec Keys.jpg_thumb)

  • part 2:

    umts pfsense:

    create phase 1
    my identifier: keyID tag = <user>preshared key = <userkey>create phase 2

    create ipsec  firewallrule:

    eg: allow any traffic from central subnet to eg.

    ping ur central pfsense lan ip, check ur ipsec logs

    If ur umts routers are not pfsense u need to translate these settings. Umts routers need to support nat-t.


    ![umts_Phase 1.jpg](/public/imported_attachments/1/umts_Phase 1.jpg)
    ![umts_Phase 1.jpg_thumb](/public/imported_attachments/1/umts_Phase 1.jpg_thumb)
    ![umts_Phase 2.jpg](/public/imported_attachments/1/umts_Phase 2.jpg)
    ![umts_Phase 2.jpg_thumb](/public/imported_attachments/1/umts_Phase 2.jpg_thumb)</userkey></user>

Log in to reply