Carlos, You may want to try enabling the "DMZ" option (if it's available) on the ISP's router and directing all traffic to the wan address of the PFSense box. I've run into the same issue with Comcast business class routers. They're very light on features and I've seen some firmware versions that attempt to implement basic VPN functionality which seems to override NAT settings. The DMZ option seems to work better. Of course, getting a static IP would make your life easier, assuming that it is available... On Jan 5, 2014 1:08 PM, "Carlos Vicente" <[email protected]> wrote:
> Jim, thanks for your rapid answer. > > > > The ISP router is a basic one for a cable link. You are right, I’m attempting > to terminate IPSEC on the pfSense box so I configured the ISP router with > the following available options: > > - “Services -> Firewall - > Port Forwarding -> Local Host: my > pfSense WAN IP -> Protocol Name: IPSec - Internet Protocol Security (Ports > UDP 500, ESP, AH) *predefined as a service* -> Forward to Port: same as > incoming port“. > > > > From the doc you referred to (the one I followed), I had to make a change > in the Phase 1 option “NAT Traversal” to “Disabled”, only then I could > establish the Phase 1 Tunnel from the Android tablet (using 3G connection) > with a direct public IP endpoint. I can´t establish any connection if the > same mobile device is using a Wi-Fi/wireless connection (even changing the > “NAT > Traversal” to “Force”). > > > > I hope this additional info can clarify you of my scenario, so that you > can suggest me a solution. I can post here some logs if you want. > > > > Thank you for your help. > > CV > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jim Thompson > *Sent:* 5 de janeiro de 2014 02:25 > *To:* pfSense support and discussion > *Subject:* Re: [pfSense] IPSec problem with mobile IOS and Android > > > > you lost me at “port forwarding”. > > > > Making NAT work for IPSEC (passthrough) can be … quite challenging. > > > > > > Hopefully you’re attempting to terminate IPSEC on the pfSense box, and the > ISP router is configured to: > > · IP Protocol ID 50: For both inbound and outbound filters. > Should be set to allow Encapsulating Security Protocol (ESP) traffic to be > forwarded. > > · IP Protocol ID 51: For both inbound and outbound filters. > Should be set to allow Authentication Header (AH) traffic to be forwarded. > > · UDP Port 500: For both inbound and outbound filters. Should be > set to allow ISAKMP traffic to be forwarded. > > > > Note that ‘forwarding’ here is packet forwarding, not port forwarding. > If so, I’ve simply misunderstood you. If not, you’re not going to make it > work without a >TON< of work on NAT-traversal. > > > > You say you looked at: > https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 (I think). > Commercial support is available if you need it. > > > > Jim > > > > On Jan 4, 2014, at 5:03 PM, Carlos Vicente <[email protected]> wrote: > > > > Hi all, > > > > I have a problem with an IPSec VPN from mobile clients (IOS and Android). > I can establish the tunnel but can’t ping, RDP or SSH the pfSense or any > client behind it (which is working with OpenVPN). I see the “passed” logs > on the firewall tab but can’t access the systems. > > > > My pfSense WAN is on the same subnet as the LAN of the ISP router, which > has port forwarding of ESP, AH and IKE to the pfSense WAN network adapter. > All the rules are correct and I they appear correctly on logs. > > > > My PfSense version is 2.0.3 upgraded from 1.2.3. I have tried all kind of > configs from the doc “Mobile IPsec on > 2.0<https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0>”, > but, as I said, can establish the connection but can´t access any device on > LAN subnet. > > > > I use this excellent appliance for many years, so I must have IPSec VPN > working on mobile clients the same way I have them working with OpenVPN. > > > > I’m stuck here, so any help would be very appreciated. > > > > Thanks. > > CV > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > > > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
