PfSense 2.0.1 <–-> pfSense 2.0.1 - Aggressive IPSec Tunnel is up but no traffic

  • Hello,

    here comes a strange situation, eventually a bug in pfSense 2.0.1  ???

    I have 2x pfSense 2.0.1, one in the datacenter and one in the company's office.
    These two should be connected with a site2site VPN in aggressive mode, however the WAN IP in the office is unknown / dynamic, the ip in the datacenter is static.

    To set up the IPSec tunnel in aggressive mode, I activated the "Mobile Clients" option in the datacenter pfSense, in the office pfSense I created a corresponding tunnel in aggressive mode.

    The tunnel is successfully established, but not a single packet comes through in both ways. I triple checked the firewall rules on the ipsec interfaces, that's not the problem.

    The real strange thing is:
    Once I switch the WAN connection in the office pfSense from DSL to an UMTS router, the traffic via VPN works!!  :P
    The difference seems to be that behind the UMTS router, the WAN interface in the office pfSense has a private IP (the public IP is on the UMTS routers WAN interface). Once the WAN interface in the office pfSense has a public / static IP on its own (DSL), there is no more traffic passing through the tunnel.
    The tunnel itself is established in both cases.

    I think that it is a bug in pfSense 2.0.1 because once I replace the pfSense in the datacenter with a v1.2.3, the exact same tunnel configuration works fine! Traffic passes through, no matter if the office pfSense is behind a UMTS router (with private IP on WAN interface) or behind a DSL line (with public IP on WAN interface).  :o

    Does anybody know how to establish an aggressive mode tunnel between two pfSense 2.0.1 with a public IP on both sides?

    (P.S.: Main mode won't work because the IP on the office pfSense must be able to change. The reason is that I need to configure a UMTS fallback solution in case the DSL line is down. That's also why I want to realise it with the "Mobile Client" option and not with a dedicated aggressive mode tunnel in the datacenter pfSense. This would again need a remote WAN IP in the config.)

    Or can the UMTS fallback be realised completely different? I need a VPN tunnel to the datacenter in any case.

    Thank you!

  • Hmm,

    am thinking of a workaround myself at the moment:
    Looks like I cannot use one (!) IPSec Tunnel for a failover situation on the office pfSense (1st WAN: DSL, 2nd WAN: UMTS), is that right?
    In that case, I would have to use one seperate tunnel in main mode for the 1st WAN (DSL with static ip) and a different tunnel in aggressive mode for the 2nd WAN (UMTS with dynamic IP).

    Is it true that you always need two separate ipsec tunnels for two WAN interfaces, also in failover mode?
    Can two tunnels be configured that terminate on the same WAN IP (datacenter pfSense)?

  • In your scenario, you probably don't need to use IPsec mobile (which seems to have issues in ipsec-tools 0.8.0)

    However, in pfsense 2.0.1 you can't create 2 IPsec tunnels with same remote subnets on different wan interfaces for failover - check

  • Thank you for your reply!

    So is there a possibility at all to have an IPSec Tunnel handle a failover from DSL to UMTS in pfSense?
    At the moment it seems to me that you need two tunnels anyways, one for the DSL connection and one for the UMTS connection, but they would both need to terminate on the datacenter pfSense.
    But then, as soon as two tunnels are supposed to terminate on the same remote wan IP, it won't work, no?
    So it would be necessary to have at least two WAN ips on the datacenter pfSense?  ???

    Isn't there a more elegant solution to handle a WAN failover in the office site - including the IPSec VPN that also can follow the failover?