IPSec on OPT1



  • When I searched I couldn't find a definitive answer to the question of being able to pull up an IPSec tunnel between two PfSense boxes on the OPT interfaces. I was able to get a tunnel running between two boxes OPT to OPT using the latest snapshot on both sides and adding a route to the remote endpoint via OPT on both sides. Next project is to try and disable the tunnel on OPT and setup one on WAN so I can have a manual failover plan…
    I should add that both sides are static. They are PPPoE DSL's, but I have the routers doing the PPPoE to avoid issues.



  • Thanks, I already asked a lot of people with the same config to test this (adding a route for this traffic) but never got any reply. Now that we know it works we can consider adding a route behind the scenes automatically.



  • hi dotdash,

    Is there any chance you could go into more detail about the setup you used to accomplish the OPT1 - OPT1 vpn connection?  I have tried several times with the latest versions, and cannot get this to work.  Have even had Hoba help out in trying to set up the right pieces.  If you could list the exact snapshot version you used and the order you went in setting it up, it would be most apprecaited.

    Thanks in advance…



  • Update to the recent snapshot, this is now doable.



  • For the record, the boxes are running 1.0.1-SNAPSHOT-02-27-2007
    built on Tue Mar 6 14:41:09 EST 2007. Tunnel is set aggressive, auth via pre-shared key. Identifier is set to IP address (opt1 IP), not 'My IP address'. There is a static route on both boxes, pointing to the other sides opt1 IP address via their opt1. The lines are DSLs on a /29 each. OPT1 interfaces are static, provider router is static'd and doing the PPPoE.



  • Dotdash,

    Thanks for the update.  I just loaded up my two test firewalls and only changed two fields:

    1. I set the tunnels to AGGRESSIVE
    2. I set the identifier to IP Address

    and…  VOILA!!! Thanks much as it came up in a snap.

    I will have to try fresh new installs later on and see if this is committed in the background automatically, or if static routes still need to be applied.  Same goes for whether or not the tunnel can be established in MAIN mode.



  • The static routes are still needed. Autocreation of this is a bit tricky currently. Maybe we'll implement this later (after 1.2 is out).



  • @hoba:

    The static routes are still needed. Autocreation of this is a bit tricky currently. Maybe we'll implement this later (after 1.2 is out).

    Where do the static routes point to?

    other question: does it work with one PFsense box on the WAN IPSEC port/tunnel and one PFsense box on the OPT IPSEC port/tunnel?


Log in to reply