I am trying to configure a Site-to-Site VPN. I have gotten to the point where my tunnel is up, but I cannot pass any traffic through the tunnel. I believe this is down to a firewall rule not being applied, but I'm new to this product and don't know exactly what's going on. I would very much appreciate some help getting this set up.
Here's my setup.
1. I'm connected via the SFP port to my ISP (Bell Fiber). I have to create a PPPoE connection over VLAN 35 to connect. I get a public IP once I connect
2. Local network is 192.168.5.0/24. Remote network is 192.168.6.0/24
3. The internet connection works perfectly.
4. The remote router is running PfSense. The configuration listed at the bottom of the post gets the tunnel up and running.
Output from various debug commands
----
show vpn ike status
IKE Process Running
PID: 4465
----
show vpn ipsec sa
peer-REDACTED-tunnel-1: #1, ESTABLISHED, IKEv1, 16ee1b9fc41c62f0:431069d5607b4f42
local '76.XX.XX.XX' @ 76.XX.XX.XX
remote '38.XX.XX.XX' @ 38.XX.XX.XX
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 1700s ago, reauth in 26140s
----
show vpn ipsec status
IPSec Process Running PID: 4465
0 Active IPsec Tunnels
IPsec Interfaces :
----
show vpn ipsec policy
src 192.168.6.0/24 dst 192.168.5.0/24
dir fwd priority 5955
tmpl src 38.XX.XX.XX dst 76.XX.XX.XX
proto esp reqid 1 mode tunnel
src 192.168.6.0/24 dst 192.168.5.0/24
dir in priority 5955
tmpl src 38.XX.XX.XX dst 76.XX.XX.XX
proto esp reqid 1 mode tunnel
src 192.168.5.0/24 dst 192.168.6.0/24
dir out priority 5955
tmpl src 76.XX.XX.XX dst 38.XX.XX.XX
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
-----------------
Configuration File
----------------
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description Local
duplex auto
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
description Local
duplex auto
speed auto
}
ethernet eth5 {
duplex auto
speed auto
vif 35 {
description "Internet (PPPoE)"
pppoe 0 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password REDACTED
user-id REDACTED
}
}
}
loopback lo {
}
switch switch0 {
address 192.168.5.1/24
description Local
mtu 1500
switch-port {
interface eth0 {
}
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
interface eth4 {
}
vlan-aware disable
}
}
}
service {
dns {
dynamic {
interface pppoe0 {
service afraid {
host-name REDACTED
login REDACTED
password REDACTED
server freedns.afraid.org
}
}
}
forwarding {
cache-size 150
listen-on LISTENONPORT
listen-on switch0
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface pppoe0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
}
system {
domain-name REDACTED
host-name edgerouter
login {
user REDACTED {
authentication {
encrypted-password REDACTED
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat enable
ipsec enable
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Toronto
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha1
}
}
site-to-site {
peer REDACTED{
authentication {
mode pre-shared-secret
pre-shared-secret REDACTED
}
connection-type initiate
description Colo
ike-group FOO0
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.5.0/24
}
remote {
prefix 192.168.6.0/24
}
}
}
}
}
}