Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with multiple P2 phases using NAT/BINAT on pfSense

    Scheduled Pinned Locked Moved IPsec
    11 Posts 2 Posters 532 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vdjurdjevic
      last edited by

      I see the following log error:

      14[CFG] <con9|130509> config: 10.45.213.42/32|/0, received: 10.45.5.163/32|/0 => no match

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @vdjurdjevic
        last edited by

        @vdjurdjevic
        Are both p2 configured at the remote site as well?

        1 Reply Last reply Reply Quote 0
        • V
          vdjurdjevic
          last edited by vdjurdjevic

          Unfortunately, I don't have control over the gateway on the remote side of the tunnel.

          They sent me the following configurations for the ACL

          access-list Vakel_Tunnel line 1 extended permit ip host 10.45.5.163 host 10.66.88.1

          access-list Vakel_Tunnel line 2 extended permit ip host 10.45.213.42 host 10.66.88.3

          The tunnel existed previously with P2_1 and it is functional.

          The problems occur when I add P2_2. It is not functional.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @vdjurdjevic
            last edited by

            @vdjurdjevic
            It seems, that there is no proper ACL for the second p2, but need to check the whole handshake section of the log to get sure.

            I don't think, that there is a limitation on p2 numbers with BINAT. To ensure, just disable the first and check if the other come up then.

            1 Reply Last reply Reply Quote 0
            • V
              vdjurdjevic
              last edited by

              When I disable P2_1, which is functional, P2_2 does not come up.

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @vdjurdjevic
                last edited by

                @vdjurdjevic
                So as expected, the second p2 doesn't work without an impact of another as well.
                So I guess, there is something configured wrong at the remote site.

                V 1 Reply Last reply Reply Quote 0
                • V
                  vdjurdjevic @viragomann
                  last edited by

                  @viragomann Tnank You

                  1 Reply Last reply Reply Quote 0
                  • V
                    vdjurdjevic
                    last edited by

                    I tried to replicate the configuration between two pFsense instances, and I encountered the following:

                    • When using different NAT/BINAT addresses, only the first SA works.
                    • When I use the same NAT/BINAT address, everything works perfectly. I assume this is because the network being NATed is the same for both P2s.
                    • And finally, in the IPsec status, only a single summary connection is visible instead of two.

                    1c61d5d2-2203-427e-b6bf-a2aff053cc3e-image.png

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @vdjurdjevic
                      last edited by

                      @vdjurdjevic said in Issue with multiple P2 phases using NAT/BINAT on pfSense:

                      When I use the same NAT/BINAT address, everything works perfectly. I assume this is because the network being NATed is the same for both P2s.

                      Ah yeah, good catch!

                      I can imagine, that it would be possible if you use different local addresses (single IPs instead of DMZ).

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        vdjurdjevic @viragomann
                        last edited by

                        @viragomann Yes, I think so too.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.