Jim, just one additional info: since I don´t have a public static IP, my ISP router is using Dyndns.org (paid) service for name resolution.
Thanks again. CV From: Carlos Vicente [mailto:cjpvice...@gmail.com] Sent: 5 de janeiro de 2014 18:08 To: 'pfSense support and discussion' Subject: RE: [pfSense] IPSec problem with mobile IOS and Android Jim, thanks for your rapid answer. The ISP router is a basic one for a cable link. You are right, Im attempting to terminate IPSEC on the pfSense box so I configured the ISP router with the following available options: - Services -> Firewall - > Port Forwarding -> Local Host: my pfSense WAN IP -> Protocol Name: IPSec - Internet Protocol Security (Ports UDP 500, ESP, AH) predefined as a service -> Forward to Port: same as incoming port. >From the doc you referred to (the one I followed), I had to make a change in the Phase 1 option NAT Traversal to Disabled, only then I could establish the Phase 1 Tunnel from the Android tablet (using 3G connection) with a direct public IP endpoint. I can´t establish any connection if the same mobile device is using a Wi-Fi/wireless connection (even changing the NAT Traversal to Force). I hope this additional info can clarify you of my scenario, so that you can suggest me a solution. I can post here some logs if you want. Thank you for your help. CV From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim Thompson Sent: 5 de janeiro de 2014 02:25 To: pfSense support and discussion Subject: Re: [pfSense] IPSec problem with mobile IOS and Android you lost me at port forwarding. Making NAT work for IPSEC (passthrough) can be quite challenging. Hopefully youre attempting to terminate IPSEC on the pfSense box, and the ISP router is configured to: · IP Protocol ID 50: For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded. · IP Protocol ID 51: For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded. · UDP Port 500: For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded. Note that forwarding here is packet forwarding, not port forwarding. If so, Ive simply misunderstood you. If not, youre not going to make it work without a >TON< of work on NAT-traversal. You say you looked at: https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 (I think). Commercial support is available if you need it. Jim On Jan 4, 2014, at 5:03 PM, Carlos Vicente <cjpvice...@gmail.com> wrote: Hi all, I have a problem with an IPSec VPN from mobile clients (IOS and Android). I can establish the tunnel but cant ping, RDP or SSH the pfSense or any client behind it (which is working with OpenVPN). I see the passed logs on the firewall tab but cant access the systems. My pfSense WAN is on the same subnet as the LAN of the ISP router, which has port forwarding of ESP, AH and IKE to the pfSense WAN network adapter. All the rules are correct and I they appear correctly on logs. My PfSense version is 2.0.3 upgraded from 1.2.3. I have tried all kind of configs from the doc <https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0> Mobile IPsec on 2.0, but, as I said, can establish the connection but can´t access any device on LAN subnet. I use this excellent appliance for many years, so I must have IPSec VPN working on mobile clients the same way I have them working with OpenVPN. Im stuck here, so any help would be very appreciated. Thanks. CV _______________________________________________ List mailing list <mailto:List@lists.pfsense.org> List@lists.pfsense.org <http://lists.pfsense.org/mailman/listinfo/list> http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list