Windows IPSEC server behind pfSense



  • I need to put a Windows IPSEC server behind my pfSense firewall. I've read that IPSEC traffic should not be NAT'd so I am trying to determine the best way to do this.

    I have a relatively simple setup with one WAN interface and one LAN interface with multiple VLANs. I do have additional unused interfaces available and have additional unused WAN IPs available from my ISP.

    Can I configure pfSense in some way to not NAT the traffic to this one server?


  • LAYER 8 Global Moderator

    why don't you just endpoint the ipsec connection on pfsense?



  • @johnpoz:

    why don't you just endpoint the ipsec connection on pfsense?

    That was my initial thought as well, but management is against it. They don't want to do anything that could make the pfSense unstable taking down the entire network. I'm not sure this is much of a concern, but that is what was decided.

    If I find that we can't easily make it work otherwise, that may become an option again, but for now I've been tasked with doing Windows IPSEC.


  • LAYER 8 Global Moderator

    windows??  And you think that is going to be stable? ;) Curious is this to just gain access to the windows box?  Or use as a site to site tunnel?  Endpointing a tunnel behind your edge is going to be PITA.

    There are people running hundreds of tunnels off their pfsense boxes, I don't see how 1 tunnel is going to be a problem..



  • @jeffh:

    @johnpoz:

    why don't you just endpoint the ipsec connection on pfsense?

    That was my initial thought as well, but management is against it. They don't want to do anything that could make the pfSense unstable taking down the entire network. I'm not sure this is much of a concern, but that is what was decided.

    If I find that we can't easily make it work otherwise, that may become an option again, but for now I've been tasked with doing Windows IPSEC.

    Wow…"management" doesn't understand how pfSense works.  You need to educate them!  IPSec is a daemon that runs inside the box.  If the IPSec daemon crashes, for whatever reason, pfSense continues to run unaffected.
    If "management" is so concerned about "taking down" the entire network, a second pfSense box would be a good way to increase availability.  In fact, IPsec would continue to work if one of the pfSense boxes was rebooted for maintenance, or crashed.  Management's windows IPSec solution won't do that! :D

    On to your question...You can setup an external 1:1 NAT to the Windows IPSEC server and open UDP/500, UDP/4500 and protocol ESP.  That should cover just about any scenario.  You might have issues with the NAT, client mights need to run IPSec with NAT Traversal option in this scenario.



  • Wow…"management" doesn't understand...

    NO WAY!!!!!!!!


Log in to reply