Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 2 subscribers
  • Views 46233 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site IPSEC to PFsense

Seranfall
I have an ASG v8 with a public IP on the WAN and private on the LAN using NAT.
I'm connecting to a pfsense 2.0 that has a public IP on the WAN side and private on the LAN using NAT.

I am able to get IPsec phase 1 and 2 to work.
Pfsense shows ICMP going to the ASG.
If I enable a No NAT rule and log the initial packets on the ASG I can see that the traffic is getting to the ASG. At least NAT sees traffic that has 10.101.0.0/16 network which is the local network on the pfsense lan side.

While I can see some icmp make it through the tunnel where atleast ASG sees it I can't actually get any traffic to flow. The ICMP always fails when I ping from a device on the LAN from either the ASG side or Pfsense side.
Also when I try any other traffic besides ICMP I see no indication at all in any of the logs that it is making it to the ASG.

Pfsense has an allow all for IPSec. On ASG I'm just using the auto firewall rules created by IPsec.

Any ideas here? I've tried everything I can think of and no where do I get anything telling me its dropping traffic even when I'm logging everything I can find. All I see is a bit of ICMP, but even that isn't fully working.


This thread was automatically locked due to age.
Parents
  • 0
    I just glanced at the PfSense documentation.  Definitely less flexible than Astaro when it comes to configuring VPNs!  This is just a guess...

    What if you select "Remote X509 Certificate" or "RSA Key" for your Remote Gateway and then use 'VPN ID type: IP Address'?  It looks like the PfSense could work with that.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hate to parachute into a 6 year old post but I do want to make a quick point, here. One place where the pfSense IS more flexible is that you can use any WAN IP to terminate IPsec where on the Sophos UTM you must always use the public WAN (not any of the "alternate" WAN IPs - at least that has been my experience). Where this can become an issue is if you want to have multiple VPNs from a single location back to a single location. For example, I used to be able to support two VPN IPsec tunnels from two separate AWS VPCs back to our office until I replaced the pfSense with a Sophos UTM-9. I then had to choose the one that was more important and build an OpenVPN server for access to the other. I still prefer the Sophos over pfSense, though.

  • 0 in reply to Kipland Iles

    I'm curious, Kipland - What problem were you having when trying to use two IPsec tunnels?  Were you blocked from creating some definition?  Did the second tunnel get established but passed no traffic?  Or???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Amazon did not allow me to make an IPsec connection back to the same WAN IP where I already had one established. May have been a limitation on their side at the time and it was actually my son who reported that he had to drop one of the connections after the move to the Sophos. Before, on the pfSense, we used two "alternate" WAN IPs to set that up so AWS saw us as two separate entities whereas when we tried to connect both to a single "public" WAN, Amazon complained. I never pursued that any further since the people accessing that VPC we had to shut down where remote to our office, anyway, so OpenVPN was really a better solution for them. It was just a convenience for me while at the office.

Reply
  • 0 in reply to BAlfson

    Amazon did not allow me to make an IPsec connection back to the same WAN IP where I already had one established. May have been a limitation on their side at the time and it was actually my son who reported that he had to drop one of the connections after the move to the Sophos. Before, on the pfSense, we used two "alternate" WAN IPs to set that up so AWS saw us as two separate entities whereas when we tried to connect both to a single "public" WAN, Amazon complained. I never pursued that any further since the people accessing that VPC we had to shut down where remote to our office, anyway, so OpenVPN was really a better solution for them. It was just a convenience for me while at the office.

Children
No Data
Unfiltered HTML