Gateway IPSec site-to-site VPN and L2TP road warrior VPN behind the gateway
I'm loving PFSense and have just deployed the embedded version on some ALIX boards for several SOHO users and in the office. My thanks to everyone who has supported/worked on the project.
My question is how to configure the the firewall to allow for site to site IPSec tunnels at the gateway and not kill access to the L2TP/IPSec server sitting behind the office gateway. If I forward UDP 500 to the L2TP server (OS X Tiger), L2TP clients work fine but the site to site IPSec tunnels cease functioning (no response from the office gateway). If I turn of the rule, the tunnels work fine but the L2TP clients can't connect (no response). I was using a couple of Snapgear gateways before and like magic (because I'm ignorant about exactly how it worked) both the site to site and L2TP tunnels worked (with UDP 500 forwarded to the L2TP server). I'm assuming that the gateway was inspecting the UDP 500 traffic and only forwarding L2TP traffic that was not related to tunnels on the gateway.
Any help would be greatly appreciated.
I'm still hoping that someone can help me sort this problem out. I emailed the listserv but so far no one has offered a suggestion.
I think you have to use different public IP addresses for tunnels terminated by pfSense and for L2TP/IPSec connections you are trying to forward to you L2TP server.
Put yourself in pfSense' place. You see UDP-packet coming to port 500. How do you differentiate between packets intended for pfSense (tunnels) and intended to you L2TP server?