Jim, thanks for your sugestion, I will try it asap and I will give you feedback.
It's important to inform all the interested that the Apple app "OpenVPN Connect", since was upgraded to version 1.0.3 (on 24/12/2013), is compatible from IOS 6.1 towards (it was working with iPad 1, ver. IOS 5.1.x, till this update, that's why I have to make IPSec VPN work). CV On Sun, Jan 5, 2014 at 6:55 PM, Jim Spaloss <[email protected]> wrote: > Carlos, > > You may want to try enabling the "DMZ" option (if it's available) on the > ISP's router and directing all traffic to the wan address of the PFSense > box. > I've run into the same issue with Comcast business class routers. They're > very light on features and I've seen some firmware versions that attempt to > implement basic VPN functionality which seems to override NAT settings. The > DMZ option seems to work better. > Of course, getting a static IP would make your life easier, assuming that > it is available... > On Jan 5, 2014 1:08 PM, "Carlos Vicente" <[email protected]> wrote: > >> Jim, thanks for your rapid answer. >> >> >> >> The ISP router is a basic one for a cable link. You are right, I’m attempting >> to terminate IPSEC on the pfSense box so I configured the ISP router >> with the following available options: >> >> - “Services -> Firewall - > Port Forwarding -> Local Host: my >> pfSense WAN IP -> Protocol Name: IPSec - Internet Protocol Security (Ports >> UDP 500, ESP, AH) *predefined as a service* -> Forward to Port: same as >> incoming port“. >> >> >> >> From the doc you referred to (the one I followed), I had to make a change >> in the Phase 1 option “NAT Traversal” to “Disabled”, only then I could >> establish the Phase 1 Tunnel from the Android tablet (using 3G connection) >> with a direct public IP endpoint. I can´t establish any connection if the >> same mobile device is using a Wi-Fi/wireless connection (even changing the >> “NAT >> Traversal” to “Force”). >> >> >> >> I hope this additional info can clarify you of my scenario, so that you >> can suggest me a solution. I can post here some logs if you want. >> >> >> >> Thank you for your help. >> >> CV >> >> >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Jim Thompson >> *Sent:* 5 de janeiro de 2014 02:25 >> *To:* pfSense support and discussion >> *Subject:* Re: [pfSense] IPSec problem with mobile IOS and Android >> >> >> >> you lost me at “port forwarding”. >> >> >> >> Making NAT work for IPSEC (passthrough) can be … quite challenging. >> >> >> >> >> >> Hopefully you’re attempting to terminate IPSEC on the pfSense box, and >> the ISP router is configured to: >> >> · IP Protocol ID 50: For both inbound and outbound filters. >> Should be set to allow Encapsulating Security Protocol (ESP) traffic to be >> forwarded. >> >> · IP Protocol ID 51: For both inbound and outbound filters. >> Should be set to allow Authentication Header (AH) traffic to be forwarded. >> >> · UDP Port 500: For both inbound and outbound filters. Should >> be set to allow ISAKMP traffic to be forwarded. >> >> >> >> Note that ‘forwarding’ here is packet forwarding, not port forwarding. >> If so, I’ve simply misunderstood you. If not, you’re not going to make it >> work without a >TON< of work on NAT-traversal. >> >> >> >> You say you looked at: >> https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 (I think). >> Commercial support is available if you need it. >> >> >> >> Jim >> >> >> >> On Jan 4, 2014, at 5:03 PM, Carlos Vicente <[email protected]> wrote: >> >> >> >> Hi all, >> >> >> >> I have a problem with an IPSec VPN from mobile clients (IOS and Android). >> I can establish the tunnel but can’t ping, RDP or SSH the pfSense or any >> client behind it (which is working with OpenVPN). I see the “passed” logs >> on the firewall tab but can’t access the systems. >> >> >> >> My pfSense WAN is on the same subnet as the LAN of the ISP router, which >> has port forwarding of ESP, AH and IKE to the pfSense WAN network adapter. >> All the rules are correct and I they appear correctly on logs. >> >> >> >> My PfSense version is 2.0.3 upgraded from 1.2.3. I have tried all kind of >> configs from the doc “Mobile IPsec on >> 2.0<https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0>”, >> but, as I said, can establish the connection but can´t access any device on >> LAN subnet. >> >> >> >> I use this excellent appliance for many years, so I must have IPSec VPN >> working on mobile clients the same way I have them working with OpenVPN. >> >> >> >> I’m stuck here, so any help would be very appreciated. >> >> >> >> Thanks. >> >> CV >> >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list >> >> >> >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list >> >> > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > > -- ******* *http://www.sebastiaoguerra.com* <http://www.sebastiaoguerra.com> *http://www.atelierdamoto.com* <http://www.atelierdamoto.com> *http://www.blocoa3.com* <http://www.blocoa3.com/> ------------------------------------------------------------------------------ Este e-mail e quaisquer ficheiros a ele anexados são confidenciais e destinados, exclusivamente, à pessoa ou entidade a quem foi endereçado. Se recebeu este e-mail por erro, por favor, contacte-nos. Obrigado. This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify us. Antes de imprimir este e-mail pense se necessita mesmo de o fazer
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
