NAT-T Help, please- I think incorrect Local IP in status
-
Hey guys,
I'm trying to help someone setup an IPsec tunnel between their two offices. In one office I can connect a DSL modem directly to the pfsense box. I can establish a tunnel to one of my boxes fine here. The problem I believe lies at the other location. At this one, a bunch of small suites share a Comcast business connection. The IT guy here says he has UDP and ESP ports 500 forwarded to our pfsense box. This is the setup-
Comcast router
WAN IP 75.144.x.x
LAN IP 10.1.10.1pfSense
WAN IP 10.1.10.31
LAN 192.168.20.1Then behind the pfSense box, I have a switch and a few computers on the 192 subnet.
In the IPsec status gui on this location, it has 10.1.10.31 as the Local IP. Shouldn't I have the public IP for the office here? (75.144.x.x) If I am correct, how do I go about changing this? I can't figure it out. I'd appreciate any help here. I know I've missed something… somewhere. Thanks
-
It can't have the public IP as the "local ip" since that IP is not on your firewall. The other end might show that as the remote IP, but the pfSense box doens't have any knowledge of the upstream IP in that way, even with port forwards.
You should have them also forward udp/4500 and force NAT-T on to see if that helps (or if it's all pfSense, OpenVPN would work much, much better with NAT involved)
-
Hmm, so do you think it should work as long as I have the proper ports forwarded?
I thought it might not be working since the settings on each side don't appear to be the same to me. I thought they need to be exactly the same.
IIRC, (i'll have to go double check later today) pfSense-1 has a tunnel from a.b.c.d to 75.144.x.x while pfSense-2 has a tunnel from 10.1.10.31 to a.b.c.d
-
That is how it will look when NAT is involved.
-
Thanks jimp, I'll give it another try today
-
Got it working jimp, thanks!
My problem was on one end I was using a VLAN for the local subnet. The VLAN was configured wrong. This machine I'm using as a hub and will have multiple endpoints connected. I just want them on different subnets.
Okay now for another problem. I think I have the VLAN configured wrong.. maybe. Or more likely, my firewall rules are incorrect. I have a few machines on the network behind that pfSense box I'm using as the IPsec hub. It has two nics and I have that VLAN on the LAN port. These machines can use the LAN IP as a gateway no problem, but if I configure them to use the VLAN as a gateway, no workie. I can't ping the VLAN IP from a local machine or ping local computers from the pfSense box through the VLAN.
-
I think I found my problem, my switch sucks. It doesn't support it
Got it working jimp, thanks!
My problem was on one end I was using a VLAN for the local subnet. The VLAN was configured wrong. This machine I'm using as a hub and will have multiple endpoints connected. I just want them on different subnets.
Okay now for another problem. I think I have the VLAN configured wrong.. maybe. Or more likely, my firewall rules are incorrect. I have a few machines on the network behind that pfSense box I'm using as the IPsec hub. It has two nics and I have that VLAN on the LAN port. These machines can use the LAN IP as a gateway no problem, but if I configure them to use the VLAN as a gateway, no workie. I can't ping the VLAN IP from a local machine or ping local computers from the pfSense box through the VLAN.
