Need help with IPSEC VPN Phase 2 not coming up



  • I have a site to site VPN i'm trying to connect

    2.0.1-RELEASE (amd64)
    built on Mon Dec 12 18:16:13 EST 2011
    FreeBSD 8.1-RELEASE-p6

    All settings have been confirmed on the other side
    Phase 1 –--------------------------------------------------------
    If: WAN CARP IP (10.0.0.1) (pfsense is clustered with 2 nodes VRRP)
    RemGW:  12.0.0.1
    AHMethod: PSK
    Negotiation: main
    MyID: My IP
    PeerID:  Peer IP
    PolicyGen: Default
    PropCheck:  Default
    EncAlg: AES128
    HashAlg: SHA1
    DH: 2
    Lifetime: 86400
    NAT-T: Enabled
    DPD: yes
    Ack: 10s
    Disc:  5x

    Phase 2 ----------------------------------------
    Mode: Tunnel
    LocalNetwork: Address:  10.0.0.5 (VIP type IP Alias)
    RemoteNetwork:  Address:  1.1.1.1
    Proto: ESP
    EncAlg:  AES128
    HashAlg:  SHA1
    PFSkey:  off
    Life:  28800
    ping:  1.1.1.1

    I Have 1:1 nat from 10.0.0.5 (WAN Network) <-> 192.168.0.10 (LAN network)

    Firewall rules have been setup to pass all traffic properly

    I cannot ping  1.1.1.1 from 192.168.0.10  (i was able to ping at one point, but cannot any more)
    No SAD's get created

    What type of VIP should i use?  Currently using IP Alias



  • The Problem:
    The IPsec tunnel is already configured, and works great except that it (naturally) requires that ALL of our vendors (present and future) NOT be using the 10.0.0.8 address, neither the 10./8 subnet nor the 10.0/16 subnet. We don't want to require future vendors to renumerate their networks!

    The Question:
    Is there a way that we can do site-to-site tunneling BUT make OUR end of the IPsec tunnel (the remote end to our vendors) be a public IP address on a /32 subnet rather than an address or subnet within our private network? Naturally our public IP addresses are already globally unique, and routing to one of our public addresses would eliminate present and future numeration conflicts. The probem I'm struggling with is routing traffic from the virtual IPsec interface to the internal database host on a 10.0/16 network

    Naturally the normal NAT port forwarding rules do not apply to the virtual IPsec interface, so it occurred to me to use 1:1 NAT to create the route using a dedicated Virutal IP (a public IP address), but it appears that the configurator does not offer the IPsec interface when configuring 1:1 NAT.

    It also occurred to me that I might need to FIRST bridge the IPsec interface to the WAN interface, (thereby enabling 1:1 NAT on the WAN interface) but that also appears to be impossible, or perhaps just a really bad idea for some reason that I'm not thinking of :-)

    Is it even possible to do what I'm trying to do? Any help would be much appreciated!


  • Rebel Alliance Developer Netgate

    On pfSense 2.1 the IPsec phase 2 config has a place to define a NAT network.

    That won't help you if someone else directly overlaps because while they could contact you (since they only see your public IP) you couldn't contact them because your own PCs would believe them to be in your LAN.

    To avoid the overlap you'd both have to be doing NAT so that a public IP or some other unused subnet(s) are being presented on the tunnel.



  • I have a server residing on the LAN subnet 192.168.0.0/24.  I have
    1:1 NAT from IF:WAN -  ExtIP: 10.0.0.5 <-> InternalIP: 192.168.0.10    (ExtIP VIP type = IP Alias)
    1:1 NAT from IF: Ipsec - ExtIP:  10.0.0.5 <-> InternalIP: 192.168.0.10  (ExtIP VIP type = IP Alias)

    Phase1
    (local) 10.0.0.1 <-> (rem) 12.0.0.1

    Phase2
    (local) 10.0.0.5 <-> (rem) 1.1.1.1

    IPSec Rules:
    Proto: * - Source: 1.1.1.1/32 - SourcePort: *  -  Dest: 192.168.0.10  -  DestPort: *
    Proto: * - Source: 1.1.1.1/32 - SourcePort: *  -  Dest: 10.0.0.5  -  DestPort: *

    WAN Rules
    Proto: *  -  Source 12.0.0.1 - SourcePort: *  -  Dest: 10.0.0.1 - DestPort: *

    I guess, what i need is confirmation that my NAT rules will be used in the phase 2 of the IPSEC.  The NAT through the IPSEC should look like:
    192.168.0.10 <- nat -> 10.0.0.5 <–> 1.1.1.1


  • Rebel Alliance Developer Netgate

    No. You do not use NAT (1:1 or port forwards) with IPsec in that way. The only way NAT+IPsec work together is using the NAT subnet entry on the pfSense 2.1 IPsec Phase 2 config.



  • Ok, then can PFSense handle having Phase 1 and Phase 2 in the same subnet? 
    On the local side the p1 IP = CARP VIP (WAN if)  p2 IP = IP Alias VIP (WAN if)

    NAT 1:1 WAN if
    WAN rules created
    IPSEC rules created

    Still does not come up.


Log in to reply