IPsec & Firewall rules / NAT
-
I experience troubles when trying to establish an IPsec connection between home with dynamic IP and the office with a static one.
Home is set up as mobile client with a Lan subnet of 192.168.2.0/24 and office has a static public IP with 192.168.100.0/24 as LAN subnet. Setup is from HOBA's tutorial still with 1200s lifetime for both phases and sides.Just to make sure, please correct my ruleset if anything is wrong:
home:
NAT: WAN UDP 500 192.168.2.3 (ext.: ) 500 UDP 500 for IPsec
NAT: WAN ESP 192.168.2.3 (ext.: ) ESP for IPsec
RULE: ESP * * WAN address * * NAT ESP for IPsec
RULE: UDP * * WAN address 500 * NAT UDP500 for IPsecoffice:
NAT: WAN UDP 500 192.168.100.99 (ext.: ) 500 UDP 500 for IPsec
NAT: WAN ESP 192.168.100.99 (ext.: ) ESP for IPsec
RULE: ESP * * gateway * * NAT ESP for IPsec
RULE: UDP * * gateway 500 * NAT UDP500 for IPsecgateway is an alias for the pfSense LAN address (192.168.100.99) at office side.
Which entry is correct - ESP to WAN or LAN host (alias: gateway)?
Further on, I have no SAD or SPD on static side whereas I get an SPD entry on the dynamic side but no SAD since the tunnel is not up.
This might be ok.On systemlogs|firewall tab at home I have racoon pares errors. These do not show up at office side…
Anyone?
-
Since there are so many views of this topic I post what finally worked for me and might help others.
Maybe Hoba adds it to his tutorial…both sides:
RULE: AH * * WAN address * * AH for IPsec
RULE: ESP * * WAN address * * ESP for IPsec
RULE: UDP * * WAN address 500 * UDP500 for IPsecIf you use the settings from pfSense (which is ESP as Phase 2 protocol), you don't need the AH rule.
Do not use any NAT rules, this is not necessary and NAT-traversal (NAT-T) of IPsec is a task on its own.
This usually would require UDP4500 and other things I am not familiar with.
Have a look here: http://en.wikipedia.org/wiki/NAT_traversal
