Question about Simple Tunneling with AH



  • I'm using a couple copies of the pfSense Virtual Appliance to learn about pfSense and IPSec. I have the setup described below the dashed line.

    I'm trying to set up a static tunnel between pfSense 1 and pfSense 2.

    So, I added a firewall rule on both pfSense machines under the IPSec tab to allow everything through, and set up identical tunnels on both sides (but with opposite remote subnets and gateways, of course). If I use ESP, it seems to work - I can ping 192.168.2.1 from Client 1 (after adding a routing rule on Client 1).

    If I shut down IPSec on both pfSense machines, change the tunnels to AH, and restart IPSec, no joy. The IPSec logs seem to indicate that the tunnel is set up, but the ping doesn't work.

    What is happening?

    –-------------------------------
    Client 1:
    IP Address - 192.168.1.100/24
    Virtual Network 4

    pfSense 1:
    LAN Address - 192.168.1.1/24
    LAN Virtual Network 4
    WAN Address - 10.0.0.1/24
    WAN Virtual Network 5

    pfSense 2:
    WAN Address - 10.0.0.2/24
    WAN Virtual Network 5
    LAN Address - 192.168.2.1/24
    LAN Virtual Network 6

    Client 2:
    IP Address - 192.168.2.100/24
    Virtual Network 6

    The virtual networks mentioned above are completely isolated from each other and from any physical network - no bridging or NAT-ing out to the real world.



  • I'm going to go ahead and give this topic a little nudge in hopes that someone can shed some light. I've also found a couple of posts like this:

    http://forum.pfsense.org/index.php/topic,29152.msg151679.html#msg151679

    where someone was trying to use AH, and the workaround they came up with was to use ESP.

    I'd really like to use AH, as in the eventual implementation one end of the tunnel will be a low powered device that I'd prefer to not saddle with a bunch of encryption, and in this application confidentiality is not as important as authentication and integrity.


Log in to reply