Sunday, November 20, 2011

pfSense IPSEC issues

If you have problems getting an IPSEC tunnel to connect using pfSense at one end check the firewall rules.

On the WAN interface there should be rules to pass:
 ISAKMP (UDP port 500)
 NAT-T (UDP port 4500)

This will allow the VPN to connect, additional firewall rules on the IPSEC interface may be required to allow traffic, e.g.:
 Pass TCP * *
 Pass UDP * *
 Pass ICMP * *

Also observed was a problem where the tunnel (Draytek 2700 endpoint) would not communicate until any request was initiated from the pfSense end.  To work around this the following command is added after installing the CRON module:
 ping -c 50 192.168.0.1
(where 192.168.0.1 is the far-end gateway)