Another solution to this: I have a setup between 2 pfSense where one is behind another natting router. The natting router doesn't have any configuration for the pfSense behind it to work. The pfSense behind the NAT tunnels in to the one directly connected to the internet as mobile client (see http://pfsense.com/mirror.php?section=tutorials/mobile_ipsec/ ). The pfSense behind the NAT has the LAN IP of the pfSense that is connected directly to the internet as keep-alive-IP. The end behind NAT is even at a dynamic IP. Works without issues and tunnel is always up this way.
Holger > -----Original Message----- > From: Alvaro Pietrobono [mailto:[EMAIL PROTECTED] > Sent: Wednesday, September 13, 2006 3:21 PM > To: [email protected] > Subject: Re: [pfSense Support] IPSEC behind Firewall > > > Of course.. > IPsec lan-to-lan > Two players: > 1) Cisco VPN Concentrator 3005 series with public IP XXX.XXX.XXX.XXX > 2) pfSense on WRAP device natted behind another pfSense( the > last with > public IP YYY.YYY.YYY.YYY) > > 1)Cisco side configuration > Public IP: XXX.XXX.XXX.XXX > Connection Type: Answered only > Peers: YYY.YYY.YYY.YYY > Digital Certificate: None(Use Preshared Keys) > Preshared Key: <any but same of other peer> > Authentication: ESP/MD5/HMAC-128 > IKE Proposal: IKE-3DES-MD5 (DH2,Lifetime:86400) > IPSEC NAT-T checked > Local Network: <network lists> > Remote Network:<the net of other peer> > 2) pfSense side Configuration > 3 config for every private net as RFC 1918 > (10/8,192.168/16,172.16/12) > Mode: Tunnel > Interface: Lan > Remote Subnet:<the net of other peer or as RFC1918> > Remote GW: XXX.XXX.XXX.XXX > PHASE 1 > Negotiation Mode: main > My Identifier: IP address YYY.YYY.YYY.YYY <--WARNING!!! > Encryption alg: 3DES > Hash: MD5 > DH: 2 > Lifetime 86400 > Auth metod: Preshared Key > Preshared key: <same of other peer> > PHASE 2 > Protocol: ESP > Encryption alg: All but no DES > Hash: all > PFS: 2 (1024bit) > LifeTime: 86400 > Keep alive: <host of other net> > > Hope this help. > > ~A > > > > > > ----- Original Message ----- > From: "Pierre Frisch" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Tuesday, September 12, 2006 11:44 PM > Subject: Re: [pfSense Support] IPSEC behind Firewall > > > > Could you post the solution. Please > > > > Thank you > > > > Pierre > > > > On 12-Sep-06, at 10:01 AM, Alvaro Pietrobono wrote: > > > >> I'm sorry Scott, > >> but I don't explained the problem very well. > >> Pfsense is behind a firewall and I'm trying to establish > >> vpn lan-to-lan with an Ipsec compliant (Cisco Concentrator > in this case) > >> with a public ip. > >> Few minutes ago I found the solution and now it's working > >> but I have to ping an host behind the other peer because > >> after few minutes connection goes down. > >> In pfSense if I disable and than enable ipsec, connection > goes up again. > >> What do you think about? > >> > >> regards > >> ~A > >> > >> > >> > >> ----- Original Message ----- From: "Scott Ullrich" > <[EMAIL PROTECTED]> > >> To: <[email protected]> > >> Sent: Tuesday, September 12, 2006 5:17 PM > >> Subject: Re: [pfSense Support] IPSEC behind Firewall > >> > >> > >>> On 9/12/06, Alvaro Pietrobono <[EMAIL PROTECTED]> wrote: > >>>> Hi, > >>>> It's possible to configure a vpn lan-to-lan with ipsec > >>>> and pfSense behind firewall? > >>>> I'm trying some different configurations but unsuccessful. > >>>> > >>>> Thanx in advance. > >>> > >>> pfSense does not have nat traversal support for IPSEC. > Doubt it will > >>> work. > >>> > >>> Scott > >>> > >>> > --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > >> > >> > >> > >> --------((((((( Internet Email Confidentiality Footer > )))))))-------- > >> > >> This e-mail, including any attachments, may contain > information that is > >> protected by law as privileged and confidential, and is > transmitted for > >> the sole use of the intended recipient. If you are not > the intended > >> recipient, you are hereby notified that any use, > dissemination, copying > >> or retention of this e-mail or the information contained herein is > >> strictly prohibited. If you have received this e-mail in > error, please > >> notify immediately the sender by telephone or reply by e-mail, and > >> permanently delete this e-mail from your computer system. > >> The statements and opinions expressed in this e-mail message are > >> those of the author of the message and do not necessarily represent > >> those of List Group S.p.A. Besides, the contents of this message > >> shall be understood as neither given nor endorsed by List > Group S.p.A. > >> List Group S.p.A. does not accept liability for > corruption, interception > >> or > >> amendment, if any, or the consequences thereof. > >> > -------------------------------------------------------------- > -------- > >> - > >> > >> > --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------((((((( Internet Email Confidentiality Footer )))))))-------- > > This e-mail, including any attachments, may contain > information that is > protected by law as privileged and confidential, and is > transmitted for > the sole use of the intended recipient. If you are not the intended > recipient, you are hereby notified that any use, > dissemination, copying > or retention of this e-mail or the information contained herein is > strictly prohibited. If you have received this e-mail in > error, please > notify immediately the sender by telephone or reply by e-mail, and > permanently delete this e-mail from your computer system. > The statements and opinions expressed in this e-mail message are > those of the author of the message and do not necessarily represent > those of List Group S.p.A. Besides, the contents of this message > shall be understood as neither given nor endorsed by List Group S.p.A. > List Group S.p.A. does not accept liability for corruption, > interception or > amendment, if any, or the consequences thereof. > > -------------------------------------------------------------- > --------- > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
