Act as only responder IPSec tunnel endpoint



  • Hi all,
    i'm ready to try pfSense in order to replace a not working configuration with a Netgear FVS338.

    Basically I have 17 remote router UMTS that have to tunnel each local network to my central network.

    Central network behind Netgear (will be pfSense)
    192.168.1.0
    255.255.255.0

    Remote networks
    10.0.xxx.0
    255.255.255.0
    with xxx from 1 to 17

    I have dynamic IPs on UMTS routers: Netgear permit to configure phase 1 as "Responder" in order to not specify remote gateway IP.

    How can I do this with pfSense?

    I can't go with mobile clients I suppose because I have to access remote local networks.

    Thanks



  • Hi,

    u need to use mobilconfig because umts networks are not reachable from external networks.

    Example for 1 Site:

    1. central pfsense:

    gote system/usermanager
    create usergroup eg. remoteaccess with privileges: User - VPN - IPsec xauth Dialin

    create 17 user in usermanager with preshared keys eg. site1 - site17, add to group remoteaccess,

    goto ipsec -> mobile clients -> enable ike mobile extension -> save

    create phase 1
    create phase 2

    create Firewallrule for each mobile subnet on ipsec tab

    eg: allow any traffic from subnet eg. 10.0.1.0/24 to 192.168.1.0/24

    or one for all: allow any traffic from subnet 10.0.0.0/19 to 192.168.1.0/24

    ![central_System User Manager.jpg](/public/imported_attachments/1/central_System User Manager.jpg)
    ![central_System User Manager.jpg_thumb](/public/imported_attachments/1/central_System User Manager.jpg_thumb)
    ![central_IPsec Mobile.jpg](/public/imported_attachments/1/central_IPsec Mobile.jpg)
    ![central_IPsec Mobile.jpg_thumb](/public/imported_attachments/1/central_IPsec Mobile.jpg_thumb)


    ![central_Phase 2.jpg](/public/imported_attachments/1/central_Phase 2.jpg)
    ![central_Phase 2.jpg_thumb](/public/imported_attachments/1/central_Phase 2.jpg_thumb)
    ![central_IPsec Keys.jpg](/public/imported_attachments/1/central_IPsec Keys.jpg)
    ![central_IPsec Keys.jpg_thumb](/public/imported_attachments/1/central_IPsec Keys.jpg_thumb)



  • part 2:

    umts pfsense:

    create phase 1
    my identifier: keyID tag = <user>preshared key = <userkey>create phase 2

    create ipsec  firewallrule:

    eg: allow any traffic from central subnet 192.168.1.0/24 to eg. 10.0.1.0/24

    ping ur central pfsense lan ip, check ur ipsec logs

    If ur umts routers are not pfsense u need to translate these settings. Umts routers need to support nat-t.

    cya

    ![umts_Phase 1.jpg](/public/imported_attachments/1/umts_Phase 1.jpg)
    ![umts_Phase 1.jpg_thumb](/public/imported_attachments/1/umts_Phase 1.jpg_thumb)
    ![umts_Phase 2.jpg](/public/imported_attachments/1/umts_Phase 2.jpg)
    ![umts_Phase 2.jpg_thumb](/public/imported_attachments/1/umts_Phase 2.jpg_thumb)</userkey></user>


Locked