Outbound NAT over IPSEC tunnel not working

shaunmccloud

I have an IPSEC tunnel from my pfSense CE box at home to a Meraki MX95 at the datacenter, I followed the directions at https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-route-internet-traffic.html to route traffic from a specific VLAN through the tunnel so it appears as if it is coming from the data center. However, it is not working. Will this only work if it is a pfSense box on each end? Or do I just need to reboot my pfSense box to get it to work?

viragomann

@shaunmccloud said in Outbound NAT over IPSEC tunnel not working:

Will this only work if it is a pfSense box on each end?

Not necessarily, but the outbound NAT must be done in the data center in this case.

shaunmccloud

@viragomann said in Outbound NAT over IPSEC tunnel not working:

@shaunmccloud said in Outbound NAT over IPSEC tunnel not working:

Will this only work if it is a pfSense box on each end?

Not necessarily, but the outbound NAT must be done in the data center in this case.

I would think I'd need to do the outbound NAT on my side to force the traffic over the tunnel, if I do a trace route I can see it hit my pfSense box and then out to the Internet, not to the data center.

viragomann

@shaunmccloud
NAT doesn't route traffic.

The routing is done in IPSec with the local network and 0.0.0.0/0 for the remote.
If the traffic goes out on WAN anyway, then there is something wrong in the IPSec settings.
Did you configure both sites accordingly?
Are the SPDs shown up on both sites?

shaunmccloud

@viragomann said in Outbound NAT over IPSEC tunnel not working:

@shaunmccloud
NAT doesn't route traffic.

The routing is done in IPSec with the local network and 0.0.0.0/0 for the remote.
If the traffic goes out on WAN anyway, then there is something wrong in the IPSec settings.
Did you configure both sites accordingly?
Are the SPDs shown up on both sites?

The problem is, Meraki gives you very little control over IPSec VPN tunnels, especially when it isn't for one of their security appliances. And the minute I add a P2 entry in my pfSense box for a remote network of 0.0.0.0/0, all network traffic but local dies.
This gives me only local access to the data center
This gives me local access to the data center and Internet access, but through my external IP at home. Probably something on the Meraki side, but good luck figuring out what that is. I cannot add a static route to a VPN participant in the Meraki control panel.

viragomann

@shaunmccloud said in Outbound NAT over IPSEC tunnel not working:

And the minute I add a P2 entry in my pfSense box for a remote network of 0.0.0.0/0, all network traffic but local dies.

So I'd assume, that the traffic is routed over the VPN, but not out on WAN.

But this is only the half of the battle. The traffic must be natted on the remote site

If the Meraki doesn't masquerade your subnets there is no way to go out to the internet through it.

shaunmccloud

@viragomann said in Outbound NAT over IPSEC tunnel not working:

@shaunmccloud said in Outbound NAT over IPSEC tunnel not working:

And the minute I add a P2 entry in my pfSense box for a remote network of 0.0.0.0/0, all network traffic but local dies.

So I'd assume, that the traffic is routed over the VPN, but not out on WAN.

But this is only the half of the battle. The traffic must be natted on the remote site

If the Meraki doesn't masquerade your subnets there is no way to go out to the internet through it.

I decided to cheat, and throw a virtual pfSense box in the data center to connect to. I'll see how that works tomorrow.