Nat over ipsec with public IP's, can someone explain how it works?

miloman

Hi

I currently have a pfsense 2.0.1 setup with 2 firewalls in a HA cluster. In this setup i have multiple ipsec tunnels to various networks.

Now I would like to create an ipsec tunnel that uses nat with a public IP. How can I achieve this? Some people say it can be done by setting up another pfsense box, but i can't seem to get my head around it. Could someone please explain this?

If i get a proper answer, i'm going to make a test-setup in my lab, do writeup on how to do it and share it in the forums.

jimp

I've set it up multiple times for customers. It is a bit hard to wrap one's head around, but the basic idea is:

• Box (or in your case, cluster) A routes traffic for the destination network to Box B
• Box B does the NAT, then forwards the traffic back to Box A
• Box A has the IPsec tunnel, and since the P2 should be set for (nat subnet) -> (far side subnet), now the p2 matches and IPsec picks it up.

We've currently got some work happening for 2.1 to fix up NAT+IPsec a little, it should at least work for 1:1 NAT, not sure about overloading.

miloman

@jimp:

I've set it up multiple times for customers. It is a bit hard to wrap one's head around, but the basic idea is:

• Box (or in your case, cluster) A routes traffic for the destination network to Box B
• Box B does the NAT, then forwards the traffic back to Box A
• Box A has the IPsec tunnel, and since the P2 should be set for (nat subnet) -> (far side subnet), now the p2 matches and IPsec picks it up.

We've currently got some work happening for 2.1 to fix up NAT+IPsec a little, it should at least work for 1:1 NAT, not sure about overloading.

let me try and get this straight (i dont have mspaint available right now, so text'll have to do)

So if i want to access, lets say, 2.2.2.3 from my server with ip 192.168.1.200 it would look like this?

Box-A
wan: 1.1.1.1/24
lan: 10.0.0.1/24
opt: 192.168.1.1/24

Ipsec
remote peer 2.2.2.1
remote subnet 2.2.2.2/30
local subnet 1.1.1.10/30
static route 2.2.2.2/30 gateway

Box-B
wan: 1.1.1.2/24
lan: 10.0.0.2/24
opt: 192.168.1.2/24
nat 192.168.1.200 <-> 1.1.1.11

Is this right? How would the Box-B know how to send the traffic back to Box-A?

jimp

Have been low on time to reply here, but the basics are:

Box B's "wan" would be the phase 2 local address on Box A's IPsec tunnel
Static route on Box A points 2.2.2.2/30 to Box B's LAN IP
Static route on Box B points 2.2.2.2/30 to Box A's WAN IP
Probably need to disable reply-to also.

The IPsec SPD prevents a routing loop as the traffic from Box A's WAN to Box B will match the P2 SPD between Box B's WAN IP and 2.2.2.2/30.

Beyond that it's hard to really lay out/describe on the forum, but it's something we're more than happy to help with on commercial support.