Hi All,
I have a customer where I am going to replace a bad DSL line at a branch-office with a 4G SIM for better speed/reliability. However they need IPSEC back to HO (fibre connection with static IP).
I am aware that bog standard SIMs aren’t just dynamic IP, they are also behind NAT as well. But I also know that Meraki can do IPSEC over a bog standard SIM card, so it must be possible in some way!
Does anyone know how I might be able to achieve this on PFSense please? Thanks in advance!
I have multiple IPSEC VPNs working over 4G LTE without issue. However, you have to initiate the VPN from the LTE site “TO” the fixed HQ site. Then no issues at all. The other way around is not going to work due to CGNAT.
Maybe route the traffic via a VPS? Let both sites connect with the VPS and then establish the IPsec connection between the sites.
Ip4 or ip6? If 4 is involved on one end you will get a good Chance that your Carrier will Nat that Connection. You could try some tcp only vpn Like sslvpn but Sim cards without a special contract wont work as expected for ike traffic.
In my experience Most Providers wont Forward ike traffic If they Nat. Sometimes its even depending on your current Cell Tower.
It doesn’t matter if the client is behind 99999 NATs. Only thing that matters is the server has to be able to “listen” for incoming connections… which if the server isn’t NATed, you should be able to do this no problem.
I think I understand your question and have found the pfSense config somewhat finicky but I’ve had luck with using a dyndns service so that I can put hostnames in each router and setting the primary office as responder only. IIRC I needed to set the NAT mode to FORCE rather than auto.
I can post my configs if you want to see how it’s working for me.
EDIT: Cloudflare’s dyndns works great for me inside of the pfSense interface
I’ve had this requirement in my line of work many times. I’ve tried pfsense, tried vyos, tried opnsense… weeks fo config and testing. All thwarted by carrier grade NAT…
In all trials, we ended up shelving the idea and worked around the IPsec VPN requirements.
There are the odd posts online that say people got it working. But in all honesty I’ve never seen one actually work over cgnat. I personally have nearly 10 years experience in enterprise networking. And the rest of my 3rd line and NOC team collectively have over 50 years combined. We couldn’t get it to work.
Thank you! I take it that you use an arbitrary string as the identifier at the LTE end?
^ This dude obviously tunnels…
Thanks for that! So I managed to configure ovpn s2s in a relatively short time on my office PFSense unit (as the server end). I also have a test SG-1100 and a Teltonika 4G router with a bog-standard vodafone SIM in it. The Teltonika has a very basic config on there - just normal NAT for devices behind there. I put the SG-1100 into ovpn client mode and it basically worked straight away.
I’m amazed that this was so easy to sort. The customer is going to be really pleased with this. I was never a fan of ovpn but it’s growing on me more and more. Thanks again!
Thanks. Not sure why I’d need to use a VPS when the HO side is behind a bog standard fibre internet connection with public IPs and no NAT?
They already have one side with a static IP.
Replacing a static-dynamic leg with a static-static AND a static-dynamic leg doesn’t do anything.
A VPS only helps if most of your traffic is going between offices instead of to and from the head office.
I can’t speak specifically to pfSense, but Cisco have/had a technology called EZvpn which could do a L2L tunnel that basically looked to the head end like a remote access connection (i.e. vpn client).
With EZvpn you could have NAT / dynamic IP on the client side and it didn’t matter - we used it a ton for small remote offices with cable modems and it worked great.
thanks for the feedback - that’s great (or not great, depending on how you look at it!). We have fixed IP SIMs without NAT, but the bandwidth cost is way higher…so we’d rather not use those if we don’t have to.
I have it working between cisco and pfsense using ipsec vti. I also have similar setup between pfsense to pfsense and mikrotik to pfsense. Are you sure your carrier isn’t blocking ipsec?
MikroTik and pfSense to pfSense is easier to go with OpenVPN(no support for ipsec vti on mikrotik, and I need that for OSPF).
This. Have the remote site initiate it and the fixed site listen for connections from 0.0.0.0/0 with a specific identifier plus the PSK.
maybe your life is a bit too easy, and you want to overcomplicate it…
Yes exactly. I was trying to be polite to the person that proffered a VPS as a solution in the first place. 
awesome, thanks. I will give this a try