IPSEC (ZyXEL ZyWALL - pfSense)



  • Dear friends!

    I really need your help with pfSense.

    I have two devices:

    1st of them - Watchguard Firebox X700 with installed pfSense (http://forum.pfsense.org/index.php/topic,7458.0.html)
    2nd - ZyXEL ZyWALL USG100

    I need to set up IPSec VPN Tunnel between two two devices (two different offices).

    Schematically it looks like this:

    Dashbord of pfSensa shows next (by the way, the tunnel is raised)

    Here's IPsec settings on the side of pfSense:

    Phase 1

    Phase 2

    Well, actually - the status of the tunnel. As you can see - the connection is active:

    On the side of ZyXEL ZyWALL USG 100 all looks like:

    The channel is online, no any errors in the logs!

    But in tracing …

    Everything goes to the ISP gateway, not to the VPN channel.
    I have tried to prescribe the route, but it does not change anything.

    I beg you, help me to understand!

    Thanks in advance!
    Evgeniy.



  • At first glance I didn't notice any glaring errors in your IPsec config. But you really shouldn't be using a remote network of 10.0.0.0/8, use something much smaller / appropriately sized (/24, /23, /20 etc) e.g. 10.100.100.0/24.

    Does the IPsec tunnel pass traffic between IPs the two connected subnets? Can you ssh to a server on the remote subnet ? (note: with pfsense locally-generated traffic it's different)



  • Why is your lan down in the the picture? The arrow is red and says none??



  • @dhatz:

    At first glance I didn't notice any glaring errors in your IPsec config. But you really shouldn't be using a remote network of 10.0.0.0/8, use something much smaller / appropriately sized (/24, /23, /20 etc) e.g. 10.100.100.0/24.

    Does the IPsec tunnel pass traffic between IPs the two connected subnets? Can you ssh to a server on the remote subnet ? (note: with pfsense locally-generated traffic it's different)

    Network 10.0.0.0 / 8 is using for some reason, and it is impossible to change.
    But, at the same time, I do not see any reason why this network (route) can not be properly processed by pfSense.

    It makes no sense to check the ssh if there are no packets between networks.

    Tracert to xxx.xxx.247.149 from 192.168.10.11

    Tracert to 10.0.0.4 from 192.168.10.11

    Routes

    Why!?

    @craigduff:

    Why is your lan down in the the picture? The arrow is red and says none??

    When I was making the screens - laptop on lan port was turned off. :)



  • When you create a Ipsec tunnel the route will automattically be added to your routing table. Are you trying to create a tunnel on a different gateway from your LAN?

    If you got a LAN and WAN and you setup a Ipsec tunnel on your WAN for you LAN. It should just work straight out the box, no other complex setup needed. The first thing i would personally do, sounds silly! Reboot the device infront of the Pfsense box, and even give your Pfsense a reboot.

    Report back.



  • @craigduff:

    When you create a Ipsec tunnel the route will automattically be added to your routing table.

    Yes, I know, but here's the problem - the route does not appear automatically. I'm afraid that in this lies the problem.

    @craigduff:

    Are you trying to create a tunnel on a different gateway from your LAN?

    Of course, I replaced the pfsense box with the other equipment and the tunnel was raised in a normal mode.
    Everything worked. But I am interested in pfsense.
    Now I want to try to use an older release.

    Moreover, both endpoints was rebooted more than several times. :)



  • Under Firewall Rules whats in the IPsec tunnel interface? You should for now use any to any rule, to allow ping and traffic to flow through. if the config is showing green, the tunnel is up and the handshake has been met.



  • Here's a screen

    Any ideas?



  • Yea thats all you need. Does the Zyxel need anything like that?

    What is your outbound NAT config Like? Is it set to Automatic?



  • On the second router all set up in the same way. There are no rules prohibiting IPsec.

    NAT config -

    Automatic outbound NAT rule generation
              (IPsec passthrough included)

    I'll try to set up the IPSec tunnel on Cisco-Linksys device today and will report.


Locked