Act as only responder IPSec tunnel endpoint
i'm ready to try pfSense in order to replace a not working configuration with a Netgear FVS338.
Basically I have 17 remote router UMTS that have to tunnel each local network to my central network.
Central network behind Netgear (will be pfSense)
with xxx from 1 to 17
I have dynamic IPs on UMTS routers: Netgear permit to configure phase 1 as "Responder" in order to not specify remote gateway IP.
How can I do this with pfSense?
I can't go with mobile clients I suppose because I have to access remote local networks.
u need to use mobilconfig because umts networks are not reachable from external networks.
Example for 1 Site:
1. central pfsense:
create usergroup eg. remoteaccess with privileges: User - VPN - IPsec xauth Dialin
create 17 user in usermanager with preshared keys eg. site1 - site17, add to group remoteaccess,
goto ipsec -> mobile clients -> enable ike mobile extension -> save
create phase 1
create phase 2
create Firewallrule for each mobile subnet on ipsec tab
eg: allow any traffic from subnet eg. 10.0.1.0/24 to 192.168.1.0/24
or one for all: allow any traffic from subnet 10.0.0.0/19 to 192.168.1.0/24
![central_System User Manager.jpg](/public/imported_attachments/1/central_System User Manager.jpg)
![central_System User Manager.jpg_thumb](/public/imported_attachments/1/central_System User Manager.jpg_thumb)
![central_IPsec Mobile.jpg](/public/imported_attachments/1/central_IPsec Mobile.jpg)
![central_IPsec Mobile.jpg_thumb](/public/imported_attachments/1/central_IPsec Mobile.jpg_thumb)
![central_Phase 2.jpg](/public/imported_attachments/1/central_Phase 2.jpg)
![central_Phase 2.jpg_thumb](/public/imported_attachments/1/central_Phase 2.jpg_thumb)
![central_IPsec Keys.jpg](/public/imported_attachments/1/central_IPsec Keys.jpg)
![central_IPsec Keys.jpg_thumb](/public/imported_attachments/1/central_IPsec Keys.jpg_thumb)
create phase 1
my identifier: keyID tag = <user>preshared key = <userkey>create phase 2
create ipsec firewallrule:
eg: allow any traffic from central subnet 192.168.1.0/24 to eg. 10.0.1.0/24
ping ur central pfsense lan ip, check ur ipsec logs
If ur umts routers are not pfsense u need to translate these settings. Umts routers need to support nat-t.
![umts_Phase 1.jpg](/public/imported_attachments/1/umts_Phase 1.jpg)
![umts_Phase 1.jpg_thumb](/public/imported_attachments/1/umts_Phase 1.jpg_thumb)
![umts_Phase 2.jpg](/public/imported_attachments/1/umts_Phase 2.jpg)
![umts_Phase 2.jpg_thumb](/public/imported_attachments/1/umts_Phase 2.jpg_thumb)</userkey></user>