Re: [pfSense Support] NAT over VPN
On Mon, Jul 19, 2010 at 1:04 PM, Matthias Niggemeier wrote: > Hi there, > I have to configure IPSec to a customers site using pfSense 1.2.3. Normally > not a big problem, but this is the first time I need to do NAT over VPN; > i.e. the customer gives us only one ip address for the gateway, the rest has > to be natted behind this. > As I searched through the list, I found that this is not possible with > pfSense. (still true?) Yes. The only option, if you must use IPsec (OpenVPN can NAT no problem), is to add a second firewall. It can be pfSense, usually when we set this up we use a VM inside the network which handles the NAT, then the primary firewall handles the IPsec. You just can't do both on the same system because of the way IPsec processing functions in FreeBSD. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] PFSense 1.2.3 IPSEC Tunnel dropped, no re-connect
Verified the settings. That fact that a reboot knocked out the tunnel is alittle disconcerning. I can go change the encryption to see. Heres the current settings. Phase1 Aggressive Identifier- My IP 3DES SHA1 MD5 DH2 Key Life 28800 PSK - ** Phase2 3DES SHA1 PFS- Off Key Life 86400 Keep Alive remote lan ip There a difference between SHA1 and MD5 or an advantage to using Blowfish for encryption On Sat, Jul 17, 2010 at 12:20 PM, Jacob Ruppal wrote: > On Sat, Jul 17, 2010 at 10:55 AM, Paul Peziol wrote: > >> I do have a dynamic ip but have set the tunnels with dyndns. Verified the >> ip thats in the logs to make sure it matches the current ip. >> >> > It's looking like it is not even getting past phase 1 negotiation with the > other site. You might have done this already, but make sure that > your negotiation modes (aggressive or main) match on both devices, and that > the other settings like your DH key group, encryption algorithm, and hash > algorithm match as well. > > >> On Sat, Jul 17, 2010 at 9:43 AM, Jesse Vollmar wrote: >> >>> On Sat, Jul 17, 2010 at 10:09 AM, Paul Peziol wrote: >>> Have a site-site tunnel between home and work. Had issues getting the tunnels to work initially. Once they were up they were stable for a few weeks. Rebooted the home router this morning and the tunnel does not come back up. Went into IPSEC and re-saved the tunnels and still does not come up. Get this error ERROR: phase2 negotiation failed due to time up waiting for phase1 Jul 17 09:01:11 racoon: *[]*: INFO: initiate new phase 1 negotiation: HOME WAN[500]<=>OFFICE WAN[500] Jul 17 09:01:11 racoon: INFO: begin Aggressive mode. Jul 17 09:01:36 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. Jul 17 09:01:44 racoon: *[]*: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP OFFICE WAN[0]->HOME WAN[0] Jul 17 09:01:44 racoon: INFO: delete phase 2 handler. Jul 17 09:02:01 racoon: ERROR: phase1 negotiation failed due to time up. dd42e11e42fc3dcb: Puzzled why it would work until a reboot. IPSEC status shows *No IPsec security associations.* I tried to delete the tunnels under SPD, resave the ipsec settings. The spd gets recreated but still no tunnel and the above messages. * * >>> >>> You say between home and work. Is it possible that you have a dynamic IP >>> at home and a reboot of your modem pulled down a new IP address? This could >>> potentially have disrupted the IPSec tunnel. >>> >>> >> >
[pfSense Support] NAT over VPN
Hi there, I have to configure IPSec to a customers site using pfSense 1.2.3. Normally not a big problem, but this is the first time I need to do NAT over VPN; i.e. the customer gives us only one ip address for the gateway, the rest has to be natted behind this. As I searched through the list, I found that this is not possible with pfSense. (still true?) Has anybody experinces with that? Which devices (not too expensive) can do that? I do not want to give up my pfSense setup so I only want to have an additional router for this VPN. Thanks in advance Matthias - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Bandwdith usage since start of month?
Op 19-7-2010 8:42, David Burgess schreef: On Mon, Jul 19, 2010 at 12:34 AM, Seth Mos wrote: Except the monthly graph shows a gap from the previous week when looking at the current month. Screenshot in the forum: http://forum.pfsense.org/index.php/topic,26789.0.html No screenshot, but that should not be related to the graphing. May have something to do with me updating the firmware right at the end of the gap. Unsure, what I do see is that my week graph is not working either way. That needs to be fixed regardless. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org