Jim,
I implemented all the recommendations: 1st upgraded to pfSense 2.1; 2nd activated the DMZ feature on the ISP router, exposing the pfSense WAN interface (which has a LAN IP address on the ISP router and is now in the DMZ of the router) to the internet, but the problem persists. The tunnel (phase 1) is established between a private IP address (WAN interface of pfSense) and a public IP address (the IP assigned to the Android 3G device). Any ideas? Thanks again! CV From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim Spaloss Sent: 5 de janeiro de 2014 18:55 To: pfSense support and discussion Subject: Re: [pfSense] IPSec problem with mobile IOS and Android Carlos, You may want to try enabling the "DMZ" option (if it's available) on the ISP's router and directing all traffic to the wan address of the PFSense box. I've run into the same issue with Comcast business class routers. They're very light on features and I've seen some firmware versions that attempt to implement basic VPN functionality which seems to override NAT settings. The DMZ option seems to work better. Of course, getting a static IP would make your life easier, assuming that it is available... On Jan 5, 2014 1:08 PM, "Carlos Vicente" <cjpvice...@gmail.com> wrote: Jim, thanks for your rapid answer. The ISP router is a basic one for a cable link. You are right, Im attempting to terminate IPSEC on the pfSense box so I configured the ISP router with the following available options: - Services -> Firewall - > Port Forwarding -> Local Host: my pfSense WAN IP -> Protocol Name: IPSec - Internet Protocol Security (Ports UDP 500, ESP, AH) predefined as a service -> Forward to Port: same as incoming port. >From the doc you referred to (the one I followed), I had to make a change in the Phase 1 option NAT Traversal to Disabled, only then I could establish the Phase 1 Tunnel from the Android tablet (using 3G connection) with a direct public IP endpoint. I can´t establish any connection if the same mobile device is using a Wi-Fi/wireless connection (even changing the NAT Traversal to Force). I hope this additional info can clarify you of my scenario, so that you can suggest me a solution. I can post here some logs if you want. Thank you for your help. CV From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jim Thompson Sent: 5 de janeiro de 2014 02:25 To: pfSense support and discussion Subject: Re: [pfSense] IPSec problem with mobile IOS and Android you lost me at port forwarding. Making NAT work for IPSEC (passthrough) can be quite challenging. Hopefully youre attempting to terminate IPSEC on the pfSense box, and the ISP router is configured to: · IP Protocol ID 50: For both inbound and outbound filters. Should be set to allow Encapsulating Security Protocol (ESP) traffic to be forwarded. · IP Protocol ID 51: For both inbound and outbound filters. Should be set to allow Authentication Header (AH) traffic to be forwarded. · UDP Port 500: For both inbound and outbound filters. Should be set to allow ISAKMP traffic to be forwarded. Note that forwarding here is packet forwarding, not port forwarding. If so, Ive simply misunderstood you. If not, youre not going to make it work without a >TON< of work on NAT-traversal. You say you looked at: https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 (I think). Commercial support is available if you need it. Jim On Jan 4, 2014, at 5:03 PM, Carlos Vicente <cjpvice...@gmail.com> wrote: Hi all, I have a problem with an IPSec VPN from mobile clients (IOS and Android). I can establish the tunnel but cant ping, RDP or SSH the pfSense or any client behind it (which is working with OpenVPN). I see the passed logs on the firewall tab but cant access the systems. My pfSense WAN is on the same subnet as the LAN of the ISP router, which has port forwarding of ESP, AH and IKE to the pfSense WAN network adapter. All the rules are correct and I they appear correctly on logs. My PfSense version is 2.0.3 upgraded from 1.2.3. I have tried all kind of configs from the doc <https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0> Mobile IPsec on 2.0, but, as I said, can establish the connection but can´t access any device on LAN subnet. I use this excellent appliance for many years, so I must have IPSec VPN working on mobile clients the same way I have them working with OpenVPN. Im stuck here, so any help would be very appreciated. Thanks. CV _______________________________________________ List mailing list <mailto:List@lists.pfsense.org> List@lists.pfsense.org <http://lists.pfsense.org/mailman/listinfo/list> http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
