PfSense IPSEC and NAT-T….

garybrooks

HI and I am sorry if my first post on this forum has been covered before.

I am trying to setup an IPSEC tunnel from pfSense 2RC1 and a Cisco device and I feel I am quite close to having this complete, but am stumbling at the last step. Any help would be greatly appreciated.

The bit (that I believe) works is as follows. The Cisco device I am connecting to has had the following crypto-map setup

access-list SMIT_outside_cryptomap extended permit ip host 64.xxx.xx.191 host 80.xxx.xx.120
access-list SMIT_outside_cryptomap extended permit ip host 216.xx.x.27 host 80.xxx.xx.120
access-list SMIT_outside_cryptomap extended permit ip host 216.xx.x.28 host 80.xxx.xx.120

I have setup pfSense with 1x Phase 1 with 3x Phase 2 tunnels as follows;

Phase 1 Summary
  Interface: WAN <== (80.xxx.xx.120)
  Remote Gateway: 216.xx.x.245
  Mode: main
  P1 Protocol: 3DES
  P1 Transforms: SHA1

Phase 2 Summary
  Mode: tunnel
  Local Subnet: LAN
  Remote Subnet: 64.xxx.xx.191
  P2 Protocol: ESP
  P2 Transforms: 3DES
  P2 Auth Methods: MD5
  Mode: tunnel
  Local Subnet: LAN
  Remote Subnet: 216.xx.x.27
  P2 Protocol: ESP
  P2 Transforms: 3DES
  P2 Auth Methods: MD5
  Mode: tunnel
  Local Subnet: LAN
  Remote Subnet: 216.xx.x.28
  P2 Protocol: ESP
  P2 Transforms: 3DES
  P2 Auth Methods: MD5

I have added a firewall rule on the IPSEC tab (Firewall : Rules : IPSec) allowing all traffic on TCP/UDP (I will harden this later)

I have added a mapping in Firewall: NAT: Outbound (AON)
  Interface: IPsec
  Source: 192.xxx.xxx.0/24
  NAT Address: Interface (80.xxx.xx.120)

When I try and Ping one of the servers (Ping times out), it forces the tunnel to come up and all looks fairly good, the pfSense log is as follows;

Jun 3 07:31:19 racoon: [P IPSEC]: INFO: IPsec-SA established: ESP 80.xxx.xx.120[500]->216.xx.x.245[500] spi=278237842(0x10959292)
Jun 3 07:31:19 racoon: [P IPSEC]: INFO: IPsec-SA established: ESP 80.xxx.xx.120[500]->216.xx.x.245[500] spi=113920913(0x6ca4b91)
Jun 3 07:31:19 racoon: [P IPSEC]: INFO: initiate new phase 2 negotiation: 80.xxx.xx.120[500]<=>216.xx.x.245[500]
Jun 3 07:31:18 racoon: [P IPSEC]: INFO: ISAKMP-SA established 80.xxx.xx.120[500]-216.xx.x.245[500] spi:9130c15b3250d304:804dcbdd38a5728d
Jun 3 07:31:18 racoon: WARNING: port 500 expected, but 0
Jun 3 07:31:18 racoon: INFO: received Vendor ID: DPD
Jun 3 07:31:18 racoon: INFO: NAT not detected
Jun 3 07:31:18 racoon: INFO: NAT-D payload #1 verified
Jun 3 07:31:18 racoon: [216.xx.x.245] INFO: Hashing 216.xx.x.245[500] with algo #2
Jun 3 07:31:18 racoon: INFO: NAT-D payload #0 verified
Jun 3 07:31:18 racoon: [80.xxx.xx.120] INFO: Hashing 80.xxx.xx.120[500] with algo #2
Jun 3 07:31:18 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jun 3 07:31:18 racoon: INFO: received Vendor ID: CISCO-UNITY
Jun 3 07:31:18 racoon: INFO: Adding remote and local NAT-D payloads.
Jun 3 07:31:18 racoon: [80.xxx.xx.120] INFO: Hashing 80.xxx.xx.120[500] with algo #2
Jun 3 07:31:18 racoon: [216.xx.x.245] INFO: Hashing 216.xx.x.245[500] with algo #2
Jun 3 07:31:18 racoon: [216.xx.x.245] INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Jun 3 07:31:18 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jun 3 07:31:18 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 3 07:31:18 racoon: INFO: begin Identity Protection mode.
Jun 3 07:31:18 racoon: [P IPSEC]: INFO: initiate new phase 1 negotiation: 80.xxx.xx.120[500]<=>216.xx.x.245[500]
Jun 3 07:31:18 racoon: [P IPSEC]: INFO: IPsec-SA request for 216.xx.x.245 queued due to no phase1 found.

The problem I have (I believe) is that the 'From' address being passed from my network is not being Nat'ed - I.e. the Internal 192.xxx.xxx.230 address is being passed instead of the Interface Address 80.xxx.xx.120.  The Cisco log that shows this is as follows;

Crypto isakmp (phase 1):

14  IKE Peer: 80.xxx.xx.120
    Type    : L2L            Role    : responder
    Rekey  : no              State  : MM_ACTIVE

Crypto ipsec (phase 2):

peer address: 80.xxx.xx.120
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 216.xx.x.245

local ident (addr/mask/prot/port): (216.xx.x.27/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.xxx.xxx.0/255.255.255.0/0/0)
      current_peer: 80.xxx.xx.120

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 216.xx.x.245, remote crypto endpt.: 80.xxx.xx.120

path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 05F6FDEA

inbound esp sas:
      spi: 0x0F0A6F01 (252342017)
        transform: esp-3des esp-md5-hmac no compression
        in use settings ={L2L, Tunnel, }
        slot: 0, conn_id: 106487808, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
        sa timing: remaining key lifetime (sec): 10530
        IV size: 8 bytes
        replay detection support: Y
        Anti replay bitmap:
          0x00000000 0x000007FF
    outbound esp sas:
      spi: 0x05F6FDEA (100072938)
        transform: esp-3des esp-md5-hmac no compression
        in use settings ={L2L, Tunnel, }
        slot: 0, conn_id: 106487808, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
        sa timing: remaining key lifetime (sec): 10530
        IV size: 8 bytes
        replay detection support: Y
        Anti replay bitmap:
          0x00000000 0x00000001

Capture on inside interface of firewall (after translations on our side):

6 packets captured

1: 20:14:34.768102 192.xxx.xxx.230.53188 > 10.x.xxx.163.8080: S 4188951898:4188951898(0) win 8192 <mss 1380,nop,wscale="" 8,nop,nop,sackok="">2: 20:14:37.756262 192.xxx.xxx.230.53188 > 10.x.xxx.163.8080: S 4188951898:4188951898(0) win 8192 <mss 1380,nop,wscale="" 8,nop,nop,sackok="">3: 20:14:43.756476 192.xxx.xxx.230.53188 > 10.x.xxx.163.8080: S 4188951898:4188951898(0) win 8192 <mss 1380,nop,nop,sackok="">4: 20:18:16.464621 192.xxx.xxx.230 > 10.x.xxx.163: icmp: echo request
  5: 20:18:21.465079 192.xxx.xxx.230 > 10.x.xxx.163: icmp: echo request
  6: 20:18:26.464865 192.xxx.xxx.230 > 10.x.xxx.163: icmp: echo request

As mentioned, any help would be greatly appreciated
/Gary</mss></mss></mss>

Perry

might help http://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS

garybrooks

Thanks for the prompt reply Perry. However I still cant see how to Outbound NAT translate my internal IP addresses from this guide.

Basically, from the Cisco side of the connection, it is expecting my Public IP address and not the internal IP addresses that are being sent.

Any help really would be greatly appreciated

/Gary

jimp

That is not NAT-T. That is just plain NAT, which doesn't work with IPsec on pfSense.

NAT-T just lets clients work from behind NAT, it doesn't actually translate addresses.