Strange IPsec work?



  • I'm sorry for my English.

    But i'm just wondering 'cause no one knows in Russian topic or don't whant to answear.

    So, I have two Sites and two pfSense box:

    Site A
    1. Has a static IP
    2. Set up IPsec for mobile clients(works fine)

    Site B
    1. Dynamic IP
    2. pfSense box behind another router(Zyxel)
    3. Zyxel set up ddns and port forward IKE(udp/500) to pfSense box.

    When i'm connecting using IPsec client behind this network(Site B) - everything is going great. But if i set up site to site tunnel - tunnel works fine, but then i can't connect using mobile client(i mean if in the same network where tunnel is on) But i can connect using another global IP. What's the catch?



  • It sounds like your trying to setup 2x phase 1 tunnels between the same public IPs (Site2site and mobile ipsec).
    Generally this causes lots of issues, if it even works.
    It's a known IPSec SA limitation in a lot of products (not sure if it is present in pfsense).

    The most probable cause is that your forwarding all UDP 500 traffic to the pfsense box.
    Which means that the mobile client can never establish a tunnel because its not receiving the response.

    Even if you did get it to connect you'd have routing issues due to the 2 phase2 tunnels that would be in operation.

    Ideally for mobile VPNs I suggest using SSL.  There's no NAT issues and ISPs that filter ports generally don't touch UDP ports.



  • Thanks for answear. I thought that is a issue with NAT, but can't get exactly what. That's the point:
    @JamesJohnson:

    The most probable cause is that your forwarding all UDP 500 traffic to the pfsense box.
    Which means that the mobile client can never establish a tunnel because its not receiving the response.

    Solved!


Log in to reply