Config Conversion - half right (half not yet right…)



  • So I'm working to replace an old debian firewall with a pfsense box, and most of it is going okay.

    The big holdup is converting the existing openswan ipsec config.  This box has two tunnels, and I've managed to translate one tunnel but not the other.

    WORKING TUNNEL

    Here's the linux config:

    conn pork-beer
            authby=secret
            left=XXX.27.218.143
            leftsubnet=10.0.0.0/23
            leftnexthop=XXX.37.70.1
            leftsourceip=10.0.0.1
            right=XXX.143.230.55
            rightsubnet=192.168.1.0/24
            rightnexthop=%defaultroute
            rightsourceip=192.168.1.1
            auto=start
            compress=no
            dpddelay=30
            dpdtimeout=120
            esp=3des-sha1-96
            pfs=yes
            ikelifetime=24h
            rekey=yes

    And the matching pfsense config is:

    That all works fine.  My problem is the next bit:

    NOT-WORKING TUNNEL

    conn pork-to-cellco
                    type=tunnel
                    esp=3des-md5
                    ike=3des-md5
                    keyexchange=ike
                    pfs=yes
                    authby=secret
                    left=XXX.27.218.143     
                    leftsubnet=10.0.0.0/25   
                    leftnexthop=%defaultroute
                    right=XXX.6.200.4
                    rightsubnet=10.15.0.0/20
                    rightnexthop=%defaultroute
                    auto=start

    My attempt at a pfSense config:

    So short of guessing over and over, what have I got wrong ?