Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec setup

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      taenzerme
      last edited by

      Hello community,

      I'm in the progress of setting up an IPSec connection to one of our clients' Cisco FW, but we're running into problems - maybe because of a lack of basic knowledge with configuration on both sides.

      General setup:

      Server A (remote) <=> Cisco Unity <=> pfSense <=> Server B (local)

      Local setup:

      Proxmox host:

      • Proxmox host

      • OFS bridge vmbr0 => eth4 => LAN, VLAN 2,4,5,6,7 on all switches

      • OFS bridge vmbr1 => eth1 => WAN uplink, VLAN 3 on all switches

      Firewall

      
       WAN (wan)       -> vtnet7     -> v4: xxxxxxxxxxxxx/27
       LAN_AW_ADM (lan) -> vtnet0     -> v4: 192.168.100.253/24
       LAN_AW_INT (opt1) -> vtnet1     -> v4: 10.40.0.253/24
       LAN_TM_CL (opt2) -> vtnet3     -> v4: 10.30.0.253/24
       LAN_TM_INT (opt3) -> vtnet2     -> v4: 10.20.0.253/24
      
      
      • KVM VM pfSense

      • LAN vtnet0 => vmbr0, no vlan (proxmox gui), 192.168.100.253/24, no upstream gw

      • LAN vtnet1 => vmbr0, vlan 6 (proxmox gui), 10.40.0.253/24, gw 10.40.0.253

      • LAN vtnet1 Virtual IP Alias 100.72.13.163/29

      • WAN vtnet7 => vmbr1, no vlan (proxmox gui), WAN w/ gw of local ISP

      MySQL-Server

      • KVM VM MySQL

      • LAN eth0 (vtnet0) => vmbr0, vlan 6 (proxmox gui), local IP 10.40.0.101 dhcp

      • LAN eth0:1 (vtnet0) => vmbr0, vlan 6 (proxmox gui), local IP 100.72.13.161 static

      IPSec setup

      
      # This file is automatically generated. Do not edit
      config setup
              uniqueids = yes
              charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2"
      
      conn con1000
              reqid = 1
              fragmentation = yes
              keyexchange = ikev1
              reauth = yes
              forceencaps = no
              mobike = no
              rekey = yes
              installpolicy = yes
              type = tunnel
              dpdaction = restart
              dpddelay = 10s
              dpdtimeout = 60s
              auto = route
              left = xxx.xxx.xxx.xxx
              right = xxx.xxx.xxx.xxx
              leftid = xxx.xxx.xxx.xxx
              ikelifetime = 28800s
              lifetime = 3600s
              ike = 3des-sha1-modp1024!
              esp = aes256-md5-modp1024!
              leftauth = psk
              rightauth = psk
              rightid = xxx.xxx.xxx.xxx
              aggressive = no
              rightsubnet = 100.64.13.160/29
              leftsubnet = 100.72.13.160/29
      
      

      I don't have direct control over the Cisco Unity box. This is done by the client IT dep.

      Target:

      Server A (Remote) should be able to connect to MySQL server (TCP 3306) on our server B. Server A has local IP 10.112.94.49 which is NATed to 100.64.13.161 and should be able to connect to MySQL port 3306 on server B (our side) through IPSec with IP 100.72.13.161.

      What we did so far:

      • added allow all rule to IPSec rule tab (for testing purposes)

      • added allow all rule to LAN_AW_INT (opt1) rule tab (for testing purposes)

      Problem(s):

      IPSec tunnel is up (ipsec1screen.jpg).
      But no traffic trough the tunnel (ICMP, TCP 3306) is possible.

      So my basic question is: what is the recommended setup for this situation on our side?
      I guess the virtual IP approach is just wrong on our side.

      What has to be done so that our local MySQL server 10.40.0.101 is reachable with IP 100.72.13.161 trough the IPSec tunnel?

      I understand that this might be more of individual consulting, so if anyone around here would be willing to offer paid consulting on an hourly basis it would be fine with me, of course.

      I'm trying to understand what setup must look like to work as intended.

      Best
      Sebastian
      ipsec1screen.jpg
      ipsec1screen.jpg_thumb
      config-firewall1-20150317125348.txt

      1 Reply Last reply Reply Quote 0
      • T
        taenzerme
        last edited by

        Just when you think there's no options left you solve it on your own ;-)

        I ended up setting up another pfSense just for IPSec and 1:1 NAT all ports/protocols for IPSec from the primary pfSense to it. I added a second network interface with an IP in the 100.72.13.160/29 subnet to the new pfSense vm and created the IPSec connection like I did before.

        We then set up another database VM with its primary network interface also in that subnet and the IP of the new pfSense as gateway. Everything was working as expected from then.

        I ended up having a lot of TCP:RA drops and blocks from another remote location connected via OpenVPN on another VM (but in the same VLAN) which was solved by setting the firewall mode to conservative.

        Any idea why that is needed?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.