Port Forwarding over IPsec ?
-
I have two sites, Site 1 (Main) and Site 2 (Remote tower location).
Both are pfSense 2.6. and the IPsec VTI connection is working between the sites.
I need an outside port to reach some equipment at Site 2.
Site 2 is behind a customer firewall that I have no firewall access.
I want to forward a port from Site 1 thru the Tunnel to Site 2.
I have tried several options, and I'm missing the critical return path.I have tried port forwarding at Site 1 to the address I want to serve at Site 2 ... I can look at the packet capture on Site 2 LAN and see the packet come in, and the device response going back out.
The problem is the address in the response packet is the real destination, not a NAT address that will get the response back to Site 1 to be sent out to the internet from the Site 1 address.
I have tried, but not getting the response back correctly to Site 1.Could someone lend their expertise and describe this process or point me to the documentation that explains how to allow this to work.
Thank You,
Kris -
@kris-0 said in Port Forwarding over IPsec ?:
The problem is the address in the response packet is the real destination
Should also work with that, but there are some requirements to obey at least at Site 2:
-
All IPSec tunnels have to be VTI
-
Ensure that in the IPSec Advanced Settings the IPsec Filter Mode is set to "Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic".
-
Also you have to assign an interface to the IPSec tunnel and define a rule allowing the incoming traffic from the remote site.
Otherwise you should be masquerade the traffic on the IPSec interace at site 1.
-
-
Problem Solved !!
Thank you viragomann that change to the IPsec Filter Mode did the trick.
Everything works perfectly.Note to anyone reading this. I did have a second VPN to the site 2 that I had not mentioned in my explanation and after reading "All IPsec tunnels have to be VTI" I changed that to a VTI also. I also made the assignment of the IPsec tunnel rule to any / any and my forwarded port from site 1 began working to site 2 as soon as I changed the IPsec Filter Mode.
-
@viragomann Just wanted to thank you! This was something I had been trying to do as well and solved my problem!