Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange IPsec work?

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      New0ne
      last edited by

      I'm sorry for my English.

      But i'm just wondering 'cause no one knows in Russian topic or don't whant to answear.

      So, I have two Sites and two pfSense box:

      Site A
      1. Has a static IP
      2. Set up IPsec for mobile clients(works fine)

      Site B
      1. Dynamic IP
      2. pfSense box behind another router(Zyxel)
      3. Zyxel set up ddns and port forward IKE(udp/500) to pfSense box.

      When i'm connecting using IPsec client behind this network(Site B) - everything is going great. But if i set up site to site tunnel - tunnel works fine, but then i can't connect using mobile client(i mean if in the same network where tunnel is on) But i can connect using another global IP. What's the catch?

      1 Reply Last reply Reply Quote 0
      • J
        JamesJohnson
        last edited by

        It sounds like your trying to setup 2x phase 1 tunnels between the same public IPs (Site2site and mobile ipsec).
        Generally this causes lots of issues, if it even works.
        It's a known IPSec SA limitation in a lot of products (not sure if it is present in pfsense).

        The most probable cause is that your forwarding all UDP 500 traffic to the pfsense box.
        Which means that the mobile client can never establish a tunnel because its not receiving the response.

        Even if you did get it to connect you'd have routing issues due to the 2 phase2 tunnels that would be in operation.

        Ideally for mobile VPNs I suggest using SSL.  There's no NAT issues and ISPs that filter ports generally don't touch UDP ports.

        1 Reply Last reply Reply Quote 0
        • N
          New0ne
          last edited by

          Thanks for answear. I thought that is a issue with NAT, but can't get exactly what. That's the point:
          @JamesJohnson:

          The most probable cause is that your forwarding all UDP 500 traffic to the pfsense box.
          Which means that the mobile client can never establish a tunnel because its not receiving the response.

          Solved!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.