VLAN and ipsec



  • Hi,
    somebody has done an ipsec tunnel whith vlans?
    i need to create an ipsec tunnel between a pc in a vlan behind pfsense and in the other side a  server behind a cisco.
    if i create the vpn with a ip on my lan side (192.168.1.10) works great, but if i configure te vpn with the pc1 on the vlan ip nothing happens. Both side of the vpn has same parameters

    pc1-|            |–-----------pfsense------------|                                        |-----CISCO------|                |-pc2-|             
    local------------vlan700---------LAN---------WAN------------INTERNET-----------WAN-------LAN--------------remote
    172.16.15.2      172.16.15.1    192.168.1.1    200.2.x.x.x.                                  194.x.x.x      172.13.3.31    172.13.3.31

    thanks in advance



  • is your PC1 client able to configure it's Networkcard to send IP-packages with a Vlan-tag?

    if yes. do you have rules on your VLAN interface that allows traffic to your WAN?

    can you ping your PfSense IP from your client?



  • Hi,
    pc1 is connected to a switch with access mode and pfsense it's connected to same switch in trunk mode… yes, i can ping pfsense interface, and rules are created both in wan and vlan interfaces... Vlan works great. so, the main problem appear to be that the ipsec tunnel it's not encripting traffic from pc1 to pc2, i had tryed with static routes but nothing happens..
    when i tried with a pc in LAN interface the tunnel works fine, but if i change to pc in vlan interface nothing...
    in interface vlan1 (tag 700) i had permited traffic both sides from 172.16.15.2 to 172.13.3.31 and viceversa.
    any suggestions..
    thanks for your answer...



  • i'm not sure but you might need Advanced outbound NAT.

    if you go on the advanced outbound NAT page you see a 2-choice-box with one option "Enable IPSec passthru" and the other "Enable advanced outbound NAT" –> enabled it allows you to create your own rules.

    afaik "Enable IPSec passthru" adds an invisible rule which prevents the IPsec Port from beein scrambled while going out through the PF.

    Since this "invisible" rule apparently only applies to your LAN you might want to try to add manually 2 rules which prevent scrambling of the ports UDP 500 and UDP 10000 and set the "from" field to any or wherever you want IPsec-traffic from.

    Edit: you have to set in the rule the checkbox "static port"



  • ok i understand, but , i tried too with nat, i created a outbound nat for the lan and nothing . Normally it's not necesary to create a nat for ipsec traffic. a natted connection can create some troubles in routed connections.. i'll create a new outbound nat to prevent scrambling of the ports UDP 500 and UDP 10000 ..
    thanks very much again



  • this rule is not a different NAT than normal NAT.
    but normally outgoing connections are scrambled.

    so if your computer opens a connection on port500 to port500 the Pf would use a different port on your outside IP:

    
           source		     LAN [Pfsense] WAN			   destination
    	 -			-	  -				-
    	 |port500 --------------|	  |		    -----port500|
    Computer |			|	  |		   /		|
    	 |			|scramble |		  /		|
    	 |			|	  |		 /		|
    	 |			|	  |randomport----		|
    	 |			|	  |				|
    	 -			-	  -				-
    
    

    some programms/protocols don't like that.
    with static port you do nothing else than say PfSense that it should not scramble this particular port.



  • hi,
    finally works with release 1.2-BETA-1… i permited traffic between pc1 and pc2... working cool now..
    thanks everybody


Log in to reply