Nat – PFSense IPSEC VPN VLAN

ipsecnat;pfsensevlan

We are integrating with a third party and they require the use of a L2L IPSec VPN for communication. I have successfully configured the IPSEC vpn and the tunel is up but now I cannot seem to have traffic pass through it because the source IP address is not correct (I assume). I am a software guy not a network guy so

The third party has required us to use subnet 172.31.168.0/24 but this conflicts with our internal addressing (AWS VPC) of 10.0.11.0/24. I added a 1:1 NAT for

source: Any
dest: <external encryption domain>
external : 172.31.168.0/24

but doing a traceroute from the pfsense machine to an ip in the encryption domain range sends the traffic out over the internet.

I have setup a app servers default route to be the PFSense box and I can see the app server connecting to external services in the firewall log but no ipsec related stuff?

Is what I am trying to do even possible?

Using PFSense version 2.1.5-RELEASE (amd64)

Best Answer

but doing a traceroute from the pfsense machine to an ip in the encryption domain range sends the traffic out over the internet

This is a clear indication that you do not have your IPsec Phase 2 entries configured correctly. IPsec matches traffic purely on source/dest IP subnet, and if it's not sending your desired traffic down the tunnel, you have a P2 configuration problem.

Related Solutions

Cisco – pfSense to ASA L2L VPN – infrequent, short-lasting, but consistent disconnections

I had a problem that exhibited behavior almost identical to yours. I was trying to run off-site backups with Veeam over the VPN. The job would run fine for somewhere between 2-6 hours usually, but at some point it would fail. Veeam support reviewed the logs and indicated it was related to a poor quality network connection. I looked at the Cisco ASA firewall and it showed errors:

show int eth 0/0 | inc error

The ASA outside interface was configured to auto negotiate speed and duplex, and was running at 100 Mbit half-duplex. I manually set the interface to 100 Mbit full-duplex, and have not had a problem with the off-site backup job since.

Here are the settings I'm using on pfSense 2.0.1. Note that a number of these were not default settings, and I had to verify that the Cisco ASA settings matched (especially lifetimes).

Phase 1:

Authentication method: Mutual PSK
Negotiation mode: aggressive
My identifier: KeyID tag, DefaultL2LGroup
Peer identifier: Peer IP address
Policy Generation: Unique
Proposal Checking: Obey
Encryption algorithm: 3DES
Hash algorithm: MD5
DH key group: 2
Lifetime: 86400
NAT Traversal: Enable
Dead Peer Detection: disabled

Phase 2:

Mode: Tunnel
Protocol: ESP
Encryption: 3DES
Hash: MD5
PFS key group: off
Lifetime: 28800

Cisco – How to connect to a Cisco ASA5540 from Windows Server 2012 over IPSEC

The path of least resistance is to ask the people who manage the destination firewall for a copy of the Cisco IPSEC VPN client or for access using an SSL AnyConnect VPN. See if they can provide a PCF configuration file to you.

Best Answer

Related Solutions

Cisco – pfSense to ASA L2L VPN – infrequent, short-lasting, but consistent disconnections

Cisco – How to connect to a Cisco ASA5540 from Windows Server 2012 over IPSEC

Related Topic