IPSec Dual Wan Problem



  • For the life of me I cant seem to get this VPN tunnel up and running

    Site A:
    PFSense 2.0
    WAN - DSL (use just for internet)
    OPT1 - T1 Line (Use just for VPN traffic)  (Static IP)

    Site B:
    SonicWall TZ180
    WAN - Cable Internet (Static IP)

    I can get a VPN tunnel up from Site A (WAN) to Site B (WAN), But I cant get one up from Site A (OPT1) to Site B (WAN) (Ultimately the way I want it set up). When I look at the logs from Site A i get "ERROR: phase2 negotiation failed due to time up waiting for phase1", when I look at the logs from Site B I see that the VPN is trying to connect from the WAN ip from Site A and is ignoring it.

    Sorry I cant get into Site B now to get the exact error message

    Is there anything special I need to do to be able to set up a IPSec VPN from OPT1 on PFSense the way I describe it? Anything need to be done in outbound natting? I tried a bunch of things but nothing seemed to fix it.

    Any help would be greatly appreciated

    Thanks
    Jonathan


  • Netgate Administrator

    So you are saying that when you try to use your secondary wan connection at SiteA it continues to use the primary wan and SiteB ignores it because it is expecting a connection from the secondary WAN?

    Sounds like you have a routing problem. How do you have your dual WANs setup? Load balanced? Policy based routing?

    Steve



  • Steve thanks for the reply. A little change of what the problem really is. Scratch what I said in my first post. The problem is that I cannot get outside the pfsense on the opt port. I have set this up with 1.2.3 before and didnt have any issues

    Basically I have a T1 line connected to my opt1, I set the static IP and Gateway in Interfaces>OPT1. If I go to diag and ping, I cannot ping anything outside from the OPT1 port.

    I have confirmed that the T1 works by hooking it up to a laptop directly to test so I know it is working.

    I got on the phone with the provider for the T1 and they say "I do not see your device registered in my ARP cache" when O have the T1 hooked up to the OPT1 port. Right when they had me hook it up to my laptop directly they could see it on their end in their "ARP Cache" and knew it was a Dell laptop.

    Any idea why this is not working?

    Basically I want to get OPT1 set up with the T1 line and a static IP and then be able to go to the Diag>Ping menu and select OPT1 and be able to ping 8.8.8.8

    Thanks
    Jonathan








  • a few more





  • Netgate Administrator

    Hmmm, that seems odd. I'm sure it's something simple I'm overlooking. I'm just comparing it with my own dual WAN setup and I can't see anything obviously wrong. I'm using two pppoe connections though so not quite the same.  :-
    I would suggest you ensure you DNS servers configured on both WANs but that should stop you pinging 8.8.8.8!
    So you can't even ping the opt1 gateway address? Can you ping the opt1 address itself?

    Steve



  • I cannot ping the OPT1 gateway from OPT1 interface. What got my attention when talking to the customer service rep was him saying that I am not showing up in his "arp cache". I am not overly familiar with ARP but wondering what that means? Yea, the dns settings wouldnt matter for pinging by IP. any rules need to be set?


  • Netgate Administrator

    If any packets had reached their end of the wire they should see you in the ARP cache.
    You should be able to ping the gate way address from opt1 even if you have no gateway set as it's in the same subnet.
    Do you have any firewall rules on opt1? Anything in the logs when you try to ping?

    Steve



  • @stephenw10:

    If any packets had reached their end of the wire they should see you in the ARP cache.
    You should be able to ping the gate way address from opt1 even if you have no gateway set as it's in the same subnet.
    Do you have any firewall rules on opt1? Anything in the logs when you try to ping?

    Steve

    No rules in the OPT1 tab, I cleared all the logs and then tried to ping with OPT1, all logs were still clear after the ping. So weird. If I cant get this working tonight I may try to load 1.2.3 tomorrow and try that out. I have a setup just like this going at another client. There is an Adtran Router in front of this pfsense that we are talking about if that helps at all (not sure if there are known problems with this type of router)



  • Well, I found the problem. Kinda feel dumb that it was that simple. Im not sure how it got set that way. Can you spot whats wrong? :)



  • Netgate Administrator

    Hmm, assigned the wrong NIC to opt1?

    Steve


Log in to reply