On WAN we have 195.22x.234.90 with GW 195.22x.234.89 / 29 mask. On DMZ weh have 195.22x.234.97 /97 (where 22x is the same as out WAN). There is nothing natted nor bridged or else, it'all routed. On LAN we have 10.0.0.0/16 (NATted) and another VPN-Interface owns the 172,16,100,0/24
On out WAN there runs raccoon-service. We want another IPSec service in the DMZ. Outbound NAT could be an option, I'll have a look at this... But this setup could be possible or are there ny objections ? Regards, martin Von: Trevor Benson [mailto:[email protected]] Gesendet: Mittwoch, 26. Mai 2010 17:52 An: [email protected] Betreff: Re: [pfSense Support] IPSec from WAN to DMZ (with racoon on WAN) Your configuration seems a bit strange. First is your DMZ on the SAME wan network or is it another block of 195.x.x.x/29? Faking your numbers instead of letter replacements might make it easier to understand (ie are they both 195.1.2.0/29 or is another 195.2.3.0/29?). Are you bridging your DMZ interface to the WAN interface, or are you using port forwarding? If you using port forwarding your not really 195.x.x.x/29, you have internal addresses and are using NAT in some fashion to pass the traffic. If you are using an internal DMZ network with NAT, then NAT-T is what your having problems with, I believe they removed the NAT-T support in RC2 or RC3 because of problems. pfSense makes custom rules for IPSec 500/4500 when enabled, you might have to change automatic outbound nat to manual or Advanced Outbound NAT, where you customize your rules. This way you can ensure the IPSec 500/4500 ports configured in the rules are not conflicting with your setup, although again answering the above questions will help with tracking down what you are actually doing. -- Trevor Benson dCAP, LPIC-1, CLA, Network+, MCP, CNA A1 Networks - Network Engineer DID (707)703-1041 FAX (707)703-1983 On May 20, 2010, at 11:31 AM, Fuchs, Martin wrote: Hi ! I've got a question ! We have the following setup: WAN 195.x.x.x/29 --- WAN pfSense - LAN 10.x.x.x/16 | DMZ 195.x.x.x/29 On pfSense WAN there is racoon enabled for IPSec-termination of our teleworkers. In our DMZ we have another IPSec endpoint, that shall terminate some connections of some remote-systems for management purposes. Now it seems as if the remote endpoint connects to some IP in the DMZ network (also official, external IPs), that the remote endpoint gets it's IPSec-answers from out pfSense WAN, not the DMZ-IP. Any ideas why this might be so or is it impossible to set it up this way ? Is GRE filtered out by pfSense on the WAN side it there is IPSec enabled ? With disabled IPSec on pfSense WAN it works with the connection to the DMZ IPSec-endpoint... Looking forward to answers, Regards, martin
