I'm in the progress of setting up an IPSec connection to one of our clients' Cisco FW, but we're running into problems - maybe because of a lack of basic knowledge with configuration on both sides.
Server A (remote) <=> Cisco Unity <=> pfSense <=> Server B (local)
OFS bridge vmbr0 => eth4 => LAN, VLAN 2,4,5,6,7 on all switches
OFS bridge vmbr1 => eth1 => WAN uplink, VLAN 3 on all switches
WAN (wan) -> vtnet7 -> v4: xxxxxxxxxxxxx/27 LAN_AW_ADM (lan) -> vtnet0 -> v4: 192.168.100.253/24 LAN_AW_INT (opt1) -> vtnet1 -> v4: 10.40.0.253/24 LAN_TM_CL (opt2) -> vtnet3 -> v4: 10.30.0.253/24 LAN_TM_INT (opt3) -> vtnet2 -> v4: 10.20.0.253/24
KVM VM pfSense
LAN vtnet0 => vmbr0, no vlan (proxmox gui), 192.168.100.253/24, no upstream gw
LAN vtnet1 => vmbr0, vlan 6 (proxmox gui), 10.40.0.253/24, gw 10.40.0.253
LAN vtnet1 Virtual IP Alias 100.72.13.163/29
WAN vtnet7 => vmbr1, no vlan (proxmox gui), WAN w/ gw of local ISP
KVM VM MySQL
LAN eth0 (vtnet0) => vmbr0, vlan 6 (proxmox gui), local IP 10.40.0.101 dhcp
LAN eth0:1 (vtnet0) => vmbr0, vlan 6 (proxmox gui), local IP 100.72.13.161 static
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2" conn con1000 reqid = 1 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = xxx.xxx.xxx.xxx right = xxx.xxx.xxx.xxx leftid = xxx.xxx.xxx.xxx ikelifetime = 28800s lifetime = 3600s ike = 3des-sha1-modp1024! esp = aes256-md5-modp1024! leftauth = psk rightauth = psk rightid = xxx.xxx.xxx.xxx aggressive = no rightsubnet = 100.64.13.160/29 leftsubnet = 100.72.13.160/29
I don't have direct control over the Cisco Unity box. This is done by the client IT dep.
Server A (Remote) should be able to connect to MySQL server (TCP 3306) on our server B. Server A has local IP 10.112.94.49 which is NATed to 100.64.13.161 and should be able to connect to MySQL port 3306 on server B (our side) through IPSec with IP 100.72.13.161.
What we did so far:
added allow all rule to IPSec rule tab (for testing purposes)
added allow all rule to LAN_AW_INT (opt1) rule tab (for testing purposes)
IPSec tunnel is up (ipsec1screen.jpg).
But no traffic trough the tunnel (ICMP, TCP 3306) is possible.
So my basic question is: what is the recommended setup for this situation on our side?
I guess the virtual IP approach is just wrong on our side.
What has to be done so that our local MySQL server 10.40.0.101 is reachable with IP 100.72.13.161 trough the IPSec tunnel?
I understand that this might be more of individual consulting, so if anyone around here would be willing to offer paid consulting on an hourly basis it would be fine with me, of course.
I'm trying to understand what setup must look like to work as intended.
Just when you think there's no options left you solve it on your own ;-)
I ended up setting up another pfSense just for IPSec and 1:1 NAT all ports/protocols for IPSec from the primary pfSense to it. I added a second network interface with an IP in the 100.72.13.160/29 subnet to the new pfSense vm and created the IPSec connection like I did before.
We then set up another database VM with its primary network interface also in that subnet and the IP of the new pfSense as gateway. Everything was working as expected from then.
I ended up having a lot of TCP:RA drops and blocks from another remote location connected via OpenVPN on another VM (but in the same VLAN) which was solved by setting the firewall mode to conservative.
Any idea why that is needed?