VPN SITE to SITE with NAT
-
Hello, this is the usual question with NAT to avoid overlapping lan.
I'm in a software house , we made software. Recently with covid, like many, we had to move from client site to remote site. The client is a big Company.
They have PaoloAlto / Cisco router to manage more than 3000 people conncted in remote.
To the sofware houses they offer a Site to Site connection via IPSEC .
We have public IP on both side.
(our local-subnets)----(172.21.0.0/16)vlanX[FIREWALL]wan(192.168.0.2)----(192.168.0.1)ISP-Router(188.218.123.123)-----{internet}----(62.97.2.6)wan[Remote-GW-Peer]lan----(remote-subnets)
They give us this informations to establish the tunnel:
- Public GW 62.97.2.6
- Phase1 AES256-SHA lifetime 86400
- Phase2 AES128-SHA1 DH2 Lifetime 28800 PFS no
To route the packet the told us:
If you need to reach an ip in these subnets
10.100.9.0/24
10.209.32.0/24
10.209.12.0/24
10.209.21.0/24
10.210.21.0/24
10.209.40.0/24
10.211.12.0/24
10.211.40.121/32
10.209.24.0/24Go thru IPSEC tunnel and present yourself as 10.201.123.123.
-------------------------------------A BRIEF HISTORY------------------------------------------------
Our first approach was to use a Zyxel (very easy to config... also for a programmer )
We have created the site to site tunnel one for each subnet.... after second tunnel (i think the have a limit) continuous disconnection.
So we moved to VTI it is working from 1 year but it has not so nice performance and tends to loose packets sometimes.Before moving to Fortigate /PaoloAlto / Cisco (we have tested a RV series and tanks to cisco support we have established that we need ASA), we have tested RouterOS(no support) IPFire(No support) now we are giving a try to PFsense.
---------------------------------------END OF HISTORY----------------------------------------------
In PFSense It was easy to make it our DHCP, Make it the main DNS server all is ok for the moment to navigate and use it in the LAN.
Now we are at the VPN step.
I have created the rule following the giude.
I can establish the tunnel but i can't se the traffic going into it (I don't know if there is a monitor inside pf ) on the other side(big company) ping is disabled and the don't give support
Another small company of friends uses libreswan they have this configuration everything is inside them server
authby=secret type=tunnel aggrmode=no keyexchange=ikev1 ike=aes256-sha1;modp1024 ikelifetime=86400s salifetime=28800s initial-contact=yes pfs=no phase2=esp phase2alg=aes128-sha1;modp1024 leftid=188.218.123.123 left=188.218.123.123 leftsubnet=10.201.123.123 rightid=62.97.2.6 right=62.97.2.6 rightsubnets={ 10.209.32.0/24 10.209.12.0/24 10.209.21.0/24 10.210.21.0/24 10.209.40.0/24 10.211.12.0/24 10.211.40.121/32 10.209.24.0/24 }
What I miss a routing part a firewall rule something wrong in configuration?
-
@riccardo-prandini
Your identifier in P1 should be your public IP of the external router. But obviously the remote server doesn't care about anyway.In the p2 you should disable AES128-GCM, since it is not provided by the remote site.
The PFS key group has to be set to "2". It might be misleadingly mentioned as DH in the specs.I don't know if it basically will work when the PAT address lies within the remote network. Since this might be issue, try to split the the remote networks and set up multiple p2. 2 part should be sufficient: 10.208.0.0/14, 10.100.9.0/24.
-
@viragomann said in VPN SITE to SITE with NAT:
10.208.0.0/14
Thanks.
I've made a try.
The connection looks ok
This should be the tunnel between pfsense and remote GW nat traversal
and those are the rules?
.
I don't know if this look correct in my opinion yes!
Anyway i have tested an endpoint 10.209.24.11i can see the data grow in the connection
but no response.I don't know if I should add a rule for the traffic.
Thi is my Zyxel Rules
The policy route
VPN PH1
VPN PH2
VTI tunnel
The object used somewhere
-
@riccardo-prandini
I'm wondering where you got the 10.201.104.30 from showing in the IPSec status.
Did you set this one as PAT address in the P2 now? -
@viragomann
I have to correct the image read it as 110.201.123.123
. -
Strange i had to add a rule tha is not generating any traffic.
it is not generating any traffic but a big amount of evaluation.
I'll try later to disable it.
Other params are ok.