IPSEC with NAT

huiqbal

We are trying to connect to one of our client using IPSEC tunnel but with no luck. We have the following configuration.

Client Network <-> Client VPN Server <===========> Our pfsense Server <-> Our Internal machine
  Linux                  CISCO 7206/IOS 12.1                            pfsense                      Linux               
B.B.B.B/y                A.A.A.A                                          C.C.C.C                    10.1.1.30

The Client has a requirement that both pfsense and Our internal machine should have official IP's (no private IP's), but they said 1:1 NAT should work. We gave our internal machine a private IP and using pfsense to do 1:1 NAT. We asked the client to debug on their Cisco VPN switch and see what messages they are seeing when we try to create a tunnel. The client is telling us that they see our  internal IP (10.1.1.30) and not the official IP D.D.D.D as described below. Below is the configuration we have received from our client and the way we have confiured it on our pfsense machine. Any help would be appreciated.

Configuration received from the Client to open a tunnel.

Client Public IP Adress: A.A.A.A
Accessible Client network (public): B.B.B.B/Y
our VPN public IP Address: C.C.C.C (our pfsense box)
our Machine running Linux : D.D.D.D
Encryption: ESP- 3DES with MD5
DH Group: 3DES Group 2 (1024 bit prime)
Vendor Id: Disabled
Perfect Forward Secrecy: disabled
Compression: disabled
IKE SA lifetime: 86400 seconds
IPSEC SA Lifetime: 7200 seconds
PSK : Customer PSK Key

Our Pfsense configration,

Interface: WAN
Local subnet : single host, D.D.D.D
Remote subnet:  B.B.B.B/Y
Remote gateway: A.A.A.A
Negotiation mode: aggressive

Phase1:
My identifier: my IP Address
Encryption algorithm: 3DES
Hash Algorithm: MD5
DH Key group: 2
Lifetime: 86400
Authentication method: PSK : Customer PSK key

Phase 2:
Protocol: ESP
Encryption: 3DES
Hash Algorithm: MD5
PFS key group: off
Lifetime: 7200

We have 1:1 NAT  enabled such that D.D.D.D is mapped to 10.1.1.30.
The problem is if we set Local subnet : single host, D.D.D.D then on the client side they don't see any activity but if we change it to 10.1.1.30 then Client side see some activity but they are seeing 10.1.1.30 on the CISCO router on their side and it drops the tunnel.
We spoke with their tech support they are saying some how our 1:1 NAT is sending internal IP and not our D.D.D.D

sullrich

Please test http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-20-06/ which includes NAT-T support.

huiqbal

No luck even after upgrading to the latest pfSense-Full-Update-1.0-SNAPSHOT-09-20-06. Same errors. Below is the error log.

Sep 21 18:52:54 racoon: ERROR: unknown notify message, no phase2 handle found.
Sep 21 18:52:54 racoon: INFO: initiate new phase 2 negotiation: C.C.C.C[500]<=>A.A.A.A[500]
Sep 21 18:52:53 racoon: INFO: ISAKMP-SA established C.C.C.C[500]-A.A.A.A[500] spix
Sep 21 18:52:53 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Sep 21 18:52:53 racoon: INFO: begin Aggressive mode.
Sep 21 18:52:53 racoon: INFO: initiate new phase 1 negotiation: C.C.C.C[500]<=>A.A.A.A[500]
Sep 21 18:52:53 racoon: INFO: IPsec-SA request for 194.39.131.167 queued due to no phase1 found.
Sep 21 18:52:52 racoon: INFO: 10.1.1.1[500] used for NAT-T
Sep 21 18:52:52 racoon: INFO: 10.1.1.1[500] used as isakmp port (fd=21)
Sep 21 18:52:52 racoon: INFO: x%nve0[500] used as isakmp port (fd=20)
Sep 21 18:52:52 racoon: ERROR: failed to bind to address C.C.C.C[500] (Address already in use).
Sep 21 18:52:52 racoon: INFO: x%rl0[500] used as isakmp port (fd=19)
Sep 21 18:52:52 racoon: INFO: x%rl1[500] used as isakmp port (fd=18)
Sep 21 18:52:52 racoon: INFO: 127.0.0.1[500] used for NAT-T
Sep 21 18:52:52 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=17)
Sep 21 18:52:52 racoon: INFO: ::1[500] used as isakmp port (fd=16)
Sep 21 18:52:52 racoon: INFO: x::1%lo0[500] used as isakmp port (fd=15)
Sep 21 18:52:52 racoon: INFO: C.C.C.C[500] used for NAT-T
Sep 21 18:52:52 racoon: INFO: C.C.C.C[500] used as isakmp port (fd=14)
Sep 21 18:52:52 racoon: INFO: x%ng1[500] used as isakmp port (fd=13)
Sep 21 18:52:52 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Sep 21 18:52:52 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)

hoba

Have a look at http://doc.m0n0.ch/handbook-single/#id2608349 . Maybe you find something obvious by viewing this howto.

buraglio

Did the nat-t stuff get removed from the snapshots?

nb

sullrich

Yeah

buraglio

@sullrich:

Yeah

ok, good to know. 
Thanks

nb

huiqbal

I guess since nothing worked for us we should assume NAT-T is not fully functional. We ended up adding an additional NIC to our pfsense machine and bridging it with WAN to assign the official IP to our internal server. We are hoping that soon pfsense will have NAT-T support and we should be able to utilize it.
Thanks for everyone's help and goodluck!

sullrich

NAT-T will not be included in 1.0.

Maybe 1.1 or in the future.