Your configuration seems a bit strange. First is your DMZ on the SAME wan network or is it another block of 195.x.x.x/29? Faking your numbers instead of letter replacements might make it easier to understand (ie are they both 195.1.2.0/29 or is another 195.2.3.0/29?).
Are you bridging your DMZ interface to the WAN interface, or are you using port forwarding? If you using port forwarding your not really 195.x.x.x/29, you have internal addresses and are using NAT in some fashion to pass the traffic. If you are using an internal DMZ network with NAT, then NAT-T is what your having problems with, I believe they removed the NAT-T support in RC2 or RC3 because of problems. pfSense makes custom rules for IPSec 500/4500 when enabled, you might have to change automatic outbound nat to manual or Advanced Outbound NAT, where you customize your rules. This way you can ensure the IPSec 500/4500 ports configured in the rules are not conflicting with your setup, although again answering the above questions will help with tracking down what you are actually doing. -- Trevor Benson dCAP, LPIC-1, CLA, Network+, MCP, CNA A1 Networks - Network Engineer DID (707)703-1041 FAX (707)703-1983 On May 20, 2010, at 11:31 AM, Fuchs, Martin wrote: > Hi ! > I’ve got a question ! > > We have the following setup: > > WAN 195.x.x.x/29 --- WAN pfSense - LAN 10.x.x.x/16 > | > DMZ 195.x.x.x/29 > > On pfSense WAN there is racoon enabled for IPSec-termination of our > teleworkers. > > In our DMZ we have another IPSec endpoint, that shall terminate some > connections of some remote-systems for management purposes. > > Now it seems as if the remote endpoint connects to some IP in the DMZ network > (also official, external IPs), that the remote endpoint gets it’s > IPSec-answers from out pfSense WAN, not the DMZ-IP. > > Any ideas why this might be so or is it impossible to set it up this way ? > Is GRE filtered out by pfSense on the WAN side it there is IPSec enabled ? > > With disabled IPSec on pfSense WAN it works with the connection to the DMZ > IPSec-endpoint… > > Looking forward to answers, > > Regards, > > martin
