Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec & Firewall rules / NAT

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jahonixJ
      jahonix
      last edited by

      I experience troubles when trying to establish an IPsec connection between home with dynamic IP and the office with a static one.
      Home is set up as mobile client with a Lan subnet of 192.168.2.0/24 and office has a static public IP with 192.168.100.0/24 as LAN subnet. Setup is from HOBA's tutorial still with 1200s lifetime for both phases and sides.

      Just to make sure, please correct my ruleset if anything is wrong:

      home:
      NAT:  WAN        UDP    500    192.168.2.3 (ext.: )    500                UDP 500 for IPsec
      NAT:  WAN        ESP              192.168.2.3 (ext.: )                          ESP for IPsec
      RULE: ESP        *    *        WAN address            *        *          NAT ESP for IPsec
      RULE: UDP        *        *        WAN address            500    *          NAT UDP500 for IPsec

      office:
      NAT:  WAN        UDP    500    192.168.100.99 (ext.: )    500                UDP 500 for IPsec
      NAT:  WAN        ESP              192.168.100.99 (ext.: )                          ESP for IPsec
      RULE: ESP        *    *        gateway                      *        *          NAT ESP for IPsec
      RULE: UDP        *        *        gateway                      500    *          NAT UDP500 for IPsec

      gateway is an alias for the pfSense LAN address (192.168.100.99) at office side.

      Which entry is correct - ESP to WAN or LAN host (alias: gateway)?

      Further on, I have no SAD or SPD on static side whereas I get an SPD entry on the dynamic side but no SAD since the tunnel is not up.
      This might be ok.

      On systemlogs|firewall tab at home I have racoon pares errors. These do not show up at office side…

      Anyone?

      1 Reply Last reply Reply Quote 0
      • jahonixJ
        jahonix
        last edited by

        Since there are so many views of this topic I post what finally worked for me and might help others.
        Maybe Hoba adds it to his tutorial…

        both sides:
        RULE: AH          *        *        WAN address              *      *          AH for IPsec
        RULE: ESP        *        *        WAN address              *      *          ESP for IPsec
        RULE: UDP        *        *        WAN address              500    *          UDP500 for IPsec

        If you use the settings from pfSense (which is ESP as Phase 2 protocol), you don't need the AH rule.

        Do not use any NAT rules, this is not necessary and NAT-traversal (NAT-T) of IPsec is a task on its own.
        This usually would require UDP4500 and other things I am not familiar with.
        Have a look here:  http://en.wikipedia.org/wiki/NAT_traversal

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.