IPSec setup



  • Hello community,

    I'm in the progress of setting up an IPSec connection to one of our clients' Cisco FW, but we're running into problems - maybe because of a lack of basic knowledge with configuration on both sides.

    General setup:

    Server A (remote) <=> Cisco Unity <=> pfSense <=> Server B (local)

    Local setup:

    Proxmox host:

    • Proxmox host

    • OFS bridge vmbr0 => eth4 => LAN, VLAN 2,4,5,6,7 on all switches

    • OFS bridge vmbr1 => eth1 => WAN uplink, VLAN 3 on all switches

    Firewall

    
     WAN (wan)       -> vtnet7     -> v4: xxxxxxxxxxxxx/27
     LAN_AW_ADM (lan) -> vtnet0     -> v4: 192.168.100.253/24
     LAN_AW_INT (opt1) -> vtnet1     -> v4: 10.40.0.253/24
     LAN_TM_CL (opt2) -> vtnet3     -> v4: 10.30.0.253/24
     LAN_TM_INT (opt3) -> vtnet2     -> v4: 10.20.0.253/24
    
    
    • KVM VM pfSense

    • LAN vtnet0 => vmbr0, no vlan (proxmox gui), 192.168.100.253/24, no upstream gw

    • LAN vtnet1 => vmbr0, vlan 6 (proxmox gui), 10.40.0.253/24, gw 10.40.0.253

    • LAN vtnet1 Virtual IP Alias 100.72.13.163/29

    • WAN vtnet7 => vmbr1, no vlan (proxmox gui), WAN w/ gw of local ISP

    MySQL-Server

    • KVM VM MySQL

    • LAN eth0 (vtnet0) => vmbr0, vlan 6 (proxmox gui), local IP 10.40.0.101 dhcp

    • LAN eth0:1 (vtnet0) => vmbr0, vlan 6 (proxmox gui), local IP 100.72.13.161 static

    IPSec setup

    
    # This file is automatically generated. Do not edit
    config setup
            uniqueids = yes
            charondebug="dmn 2,mgr 2,ike 2,chd 2,job 2,net 2,esp 2,lib 2"
    
    conn con1000
            reqid = 1
            fragmentation = yes
            keyexchange = ikev1
            reauth = yes
            forceencaps = no
            mobike = no
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = xxx.xxx.xxx.xxx
            right = xxx.xxx.xxx.xxx
            leftid = xxx.xxx.xxx.xxx
            ikelifetime = 28800s
            lifetime = 3600s
            ike = 3des-sha1-modp1024!
            esp = aes256-md5-modp1024!
            leftauth = psk
            rightauth = psk
            rightid = xxx.xxx.xxx.xxx
            aggressive = no
            rightsubnet = 100.64.13.160/29
            leftsubnet = 100.72.13.160/29
    
    

    I don't have direct control over the Cisco Unity box. This is done by the client IT dep.

    Target:

    Server A (Remote) should be able to connect to MySQL server (TCP 3306) on our server B. Server A has local IP 10.112.94.49 which is NATed to 100.64.13.161 and should be able to connect to MySQL port 3306 on server B (our side) through IPSec with IP 100.72.13.161.

    What we did so far:

    • added allow all rule to IPSec rule tab (for testing purposes)

    • added allow all rule to LAN_AW_INT (opt1) rule tab (for testing purposes)

    Problem(s):

    IPSec tunnel is up (ipsec1screen.jpg).
    But no traffic trough the tunnel (ICMP, TCP 3306) is possible.

    So my basic question is: what is the recommended setup for this situation on our side?
    I guess the virtual IP approach is just wrong on our side.

    What has to be done so that our local MySQL server 10.40.0.101 is reachable with IP 100.72.13.161 trough the IPSec tunnel?

    I understand that this might be more of individual consulting, so if anyone around here would be willing to offer paid consulting on an hourly basis it would be fine with me, of course.

    I'm trying to understand what setup must look like to work as intended.

    Best
    Sebastian


    config-firewall1-20150317125348.txt



  • Just when you think there's no options left you solve it on your own ;-)

    I ended up setting up another pfSense just for IPSec and 1:1 NAT all ports/protocols for IPSec from the primary pfSense to it. I added a second network interface with an IP in the 100.72.13.160/29 subnet to the new pfSense vm and created the IPSec connection like I did before.

    We then set up another database VM with its primary network interface also in that subnet and the IP of the new pfSense as gateway. Everything was working as expected from then.

    I ended up having a lot of TCP:RA drops and blocks from another remote location connected via OpenVPN on another VM (but in the same VLAN) which was solved by setting the firewall mode to conservative.

    Any idea why that is needed?


Log in to reply