Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 19 replies
  • Subscribers 2 subscribers
  • Views 46234 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site IPSEC to PFsense

Seranfall
I have an ASG v8 with a public IP on the WAN and private on the LAN using NAT.
I'm connecting to a pfsense 2.0 that has a public IP on the WAN side and private on the LAN using NAT.

I am able to get IPsec phase 1 and 2 to work.
Pfsense shows ICMP going to the ASG.
If I enable a No NAT rule and log the initial packets on the ASG I can see that the traffic is getting to the ASG. At least NAT sees traffic that has 10.101.0.0/16 network which is the local network on the pfsense lan side.

While I can see some icmp make it through the tunnel where atleast ASG sees it I can't actually get any traffic to flow. The ICMP always fails when I ping from a device on the LAN from either the ASG side or Pfsense side.
Also when I try any other traffic besides ICMP I see no indication at all in any of the logs that it is making it to the ASG.

Pfsense has an allow all for IPSec. On ASG I'm just using the auto firewall rules created by IPsec.

Any ideas here? I've tried everything I can think of and no where do I get anything telling me its dropping traffic even when I'm logging everything I can find. All I see is a bit of ICMP, but even that isn't fully working.


This thread was automatically locked due to age.
  • 0
    May i ask a question, please?

    I've problems getting a VPN to work between a pfSense and one of my Astaros.
    The problem are the VPN-IDs.

    The pfSense doesn't use the VPN-ID out of the X509 certificates! What the hell?
    Neither from our certificate not from its own, the admin says.

    Is this true? What can i do?

    Regards!
    Frank
  • 0
    I just glanced at the PfSense documentation.  Definitely less flexible than Astaro when it comes to configuring VPNs!  This is just a guess...

    What if you select "Remote X509 Certificate" or "RSA Key" for your Remote Gateway and then use 'VPN ID type: IP Address'?  It looks like the PfSense could work with that.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    We tried that.

    In pluto log appears "No public key found for a.b.c.d" and i've tried with Remote X509 Certificate and IP a.b.c.d.

    Very strange.

    Right now i am not sure if i have to take my IP or the remote one! :-?
  • 0
    My guess is that you should leave the IP empty in the Astaro.  Maybe you can find something on the PfSense forum.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    I was able to get this resolved. 
    So evidently when the school firewall admin tells you all the ports and open, that doesn't mean anything. I had to have our server admin update the firewall because our firewall admin is super lazy. Magic! once protocol 50 wasn't being blocked everything worked.

    Now I am having some issues where my firewall rules don't appear to be affecting vpn traffic. Haven't had much time to research it yet, but from what I've learned of iptables my rules should be getting processed before traffic enters the tunnel or after it exists the tunnel. That just doesn't seem to be the behavior I'm getting though. 

    Anyone have a few good resources for vpn and iptables they can point me to?
  • 0
    Thanks for posting the answer you found.

    Check the Astaro KnowledgeBase for info on VPNs.  I don't think knowing a lot more about iptables will help you understand how Astaro works though.

    Go ahead and start a new thread with your new question.  Show a picture of your 'IPsec Connection' and of the Firewall rule that's not working as you expect.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hate to parachute into a 6 year old post but I do want to make a quick point, here. One place where the pfSense IS more flexible is that you can use any WAN IP to terminate IPsec where on the Sophos UTM you must always use the public WAN (not any of the "alternate" WAN IPs - at least that has been my experience). Where this can become an issue is if you want to have multiple VPNs from a single location back to a single location. For example, I used to be able to support two VPN IPsec tunnels from two separate AWS VPCs back to our office until I replaced the pfSense with a Sophos UTM-9. I then had to choose the one that was more important and build an OpenVPN server for access to the other. I still prefer the Sophos over pfSense, though.

  • 0 in reply to Kipland Iles

    I'm curious, Kipland - What problem were you having when trying to use two IPsec tunnels?  Were you blocked from creating some definition?  Did the second tunnel get established but passed no traffic?  Or???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Amazon did not allow me to make an IPsec connection back to the same WAN IP where I already had one established. May have been a limitation on their side at the time and it was actually my son who reported that he had to drop one of the connections after the move to the Sophos. Before, on the pfSense, we used two "alternate" WAN IPs to set that up so AWS saw us as two separate entities whereas when we tried to connect both to a single "public" WAN, Amazon complained. I never pursued that any further since the people accessing that VPC we had to shut down where remote to our office, anyway, so OpenVPN was really a better solution for them. It was just a convenience for me while at the office.

Unfiltered HTML