Site to Site with one side behind another router

mircsicz

Hi hi, I’ve just setup a new IPSec tunnel, both boxes are on APU Board's and are running 2.2.2 .But on this boxes is behind another router so it’s in a NAT’d Env.: Is there a way to tell charon that pfSense’s WAN IP is not the real WAN IP? I mean like DynDNS does it…

Here’s the main issue why the tunnel doesn’t come up: charon:

13[NET] <con1|3> sending packet: from 192.168.178.47[500] to xxx.xx.xx.xx[500] (328 bytes)</con1|3>

And I’m aware of jimp’s post: https://forum.pfsense.org/index.php?topic=37435.msg193158#msg193158 But hope I’m not hit by that…

Tubal

You should be able to specify whatever address you want to report in your phase 1 proposal authentication section in the 'My Identifier' or 'Peer Identifier' setting.  Just change the relevant side to 'IP address' and enter the IP address you'd like it to report.

I believe that's what you're asking?

mircsicz

Thank's but as I don't have a static IP on this side of the tunnel I'm afraid I can't… So I'm looking for another way out of that!

@Tubal:

You should be able to specify whatever address you want to report in your phase 1 proposal authentication section in the 'My Identifier' or 'Peer Identifier' setting.  Just change the relevant side to 'IP address' and enter the IP address you'd like it to report.

I believe that's what you're asking?

cmb

It doesn't have to be your WAN IP, or even an IP you own for that matter, it just has to match on both sides. Putting in the LAN IP would be fine.

mircsicz

Thank's Chris,

but the issue remained:

charon: 14[NET] <con1|10> received packet: from 192.168.178.47[500] to xx.xx.xx.xx[500] (204 bytes)</con1|10>

I got those all the time whatever I enter in the setting's, where 192…. is the IP of the pfsense's WAN interface which it's gets by DHCP from a FritzBox, and there's no chance for me to change that setup! Never done IPSec tunnel's from behind NAT...

As I was lost I simply did it with OpenVPN and that now work's, but I'ld prefer to run the tunnel with IPsec!

So how can I tell pfsense to not us it's WAN IP when requesting a connection?

@cmb:

It doesn't have to be your WAN IP, or even an IP you own for that matter, it just has to match on both sides. Putting in the LAN IP would be fine.

cmb

That's just the source IP of the traffic it's initiating, has no relation to the identifiers. It will never show anything other than the actual IP assigned to the system in that particular log, it can't just source traffic from an IP that it's being NATed to elsewhere.

The problem is somewhere else, beyond that in the IPsec logs what do you see?