My first site-2-site ipsec tunnel with pfsense

remoz76

Hello, i hope you can help me with this pfsense->Juniper site-2-site VPN.
The objects are:

LAN(192.168.1.0/24) -> (192.168.1.21)pfsense(85.55.25.25 publicIP) -> (85.55.25.20 publicGTW) -> (85.55.20.20)juniper(10.13.20.20/30) -> (10.13.10.4/32)server
I'm in "LAN" and i've setup VPN tunnel to juniper i think with success (the cross icon on ipsec status is yellow but the DPD each 10 secs poll the destination for tunnel up and get response).
But i get this in the ipsec LOG:

Jan 29 17:32:01 	racoon: DEBUG: encrypted.
Jan 29 17:32:01 	racoon: [Unknown Gateway/Dynamic]: DEBUG: 92 bytes from 85.55.25.25[500] to 85.55.20.20[500]
Jan 29 17:32:01 	racoon: [Unknown Gateway/Dynamic]: DEBUG: sockname 85.55.25.25[500]
Jan 29 17:32:01 	racoon: [Unknown Gateway/Dynamic]: DEBUG: send packet from 85.55.25.25[500]
Jan 29 17:32:01 	racoon: DEBUG: send packet to 85.55.20.20[500]
Jan 29 17:32:01 	racoon: DEBUG: 1 times of 92 bytes message will be sent to 85.55.20.20[500]
Jan 29 17:32:01 	racoon: DEBUG: 788bffa7 67841072 065d3eec 5f3f8d86 08100501 b05e1e42 0000005c b18b3520 2cc6078c f8e02583 c6583169 5736f457 bd30b3ed 68372cdc 11152f46 8603d17d 9220ccff 0ed576ac ab01504b c54d648c e4a539e0 0d00150c 1534697f
Jan 29 17:32:01 	racoon: DEBUG: sendto Information notify.
Jan 29 17:32:01 	racoon: DEBUG: IV freed
Jan 29 17:32:01 	racoon: [BPM (P1)]: [85.55.20.20] DEBUG: DPD R-U-There sent (0)
Jan 29 17:32:01 	racoon: [BPM (P1)]: [85.55.20.20] DEBUG: rescheduling send_r_u (5).
Jan 29 17:32:01 	racoon: DEBUG: ===
Jan 29 17:32:01 	racoon: DEBUG: 92 bytes message received from 85.55.20.20[500] to 85.55.25.25[500]
Jan 29 17:32:01 	racoon: DEBUG: 788bffa7 67841072 065d3eec 5f3f8d86 08100501 52a1dd80 0000005c c82d2bac 432b123e c0506561 4f99a154 a2e57b7a ed8e6c64 ce228e9e ffb8a26e 25848201 31a6763e 386b1d90 8edafd1a 302df3f5 c06bf444 998713f5 d3ce873b
Jan 29 17:32:01 	racoon: DEBUG: receive Information.
Jan 29 17:32:01 	racoon: DEBUG: compute IV for phase2
Jan 29 17:32:01 	racoon: DEBUG: phase1 last IV:

I've setup NAT Outbound from 192.168.1.0/24 to 10.13.20.20/30 (i must appear with this subnet on the remote network).
But i've no communication to the remote server 10.13.10.4. No ping, no services.

The route table is:

IPv4
Destination 	           Gateway 	        Flags 	Refs   	Use  	Mtu 	        Netif 	Expire
default 	                   85.55.25.20 	        UGS    	0 	        16543 	1500 	em0 	 
10.13.0.0/16 	           85.55.20.20 	        UGS 	       0 	        37 	        1500 	em0 	 
85.55.20.20 	           85.55.25.20 	        UGHS 	0 	        3045 	1500 	em0 	 
85.55.25.24/29 	   link#1 	                U 	        0 	        11308 	1500 	em0 	 
85.55.25.25 	           link#1 	                UHS 	        0 	        0 	        16384 	lo0 	 
127.0.0.1 	           link#6 	                UH 	        0 	        51 	        16384 	lo0 	 
192.168.1.0/24 	   link#2 	                U 	        0 	        5294 	1500 	em1 	 
192.168.1.21          	   link#2 	                UHS 	        0 	        0 	        16384 	lo0

Many thanks

RR

jimp

You can't use NAT and IPsec together unless you're on a recent 2.1 snapshot.