Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense to Cisco - NAT before ipSec

    IPsec
    1
    1
    1.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jimbolian
      last edited by

      Hi, after many hours of trawling the net it looks like this is unsupported? Essentially we need to crate a pfSense to Cisco ipsec tunnell. Phase 1 works fine, but Phase 2 fails.

      We have two options to connect to the client, eitheir NAT our internal LAN to an internal IP they have provided on their side.

      Or NAT our internal LAN to an external public addressable IP that is'nt our firewall's IP.

      Have tried eitheir way, and the furthest was getting Phase 1 to work.

      Which gave the following error on their Cisco:

      "Instead of sending the single public IP address we are receiving your internal 192.168.9.0 networks. See below for debug:

      .Oct 19 16:03:59.924 GMT: IPSEC(validate_proposal_request): proposal part #1,
        (key eng. msg.) INBOUND local= Peer IP, remote= FW IP,
          local_proxy= The remote subnet/255.255.255.252/0/0 (type=4),
          remote_proxy= 192.168.9.0/255.255.255.0/0/0 (type=4),
          protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
          lifedur= 0s and 0kb,
          spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x22
      .Oct 19 16:03:59.924 GMT: Crypto mapdb : proxy_match
              src addr    : The remote subnet
              dst addr    : 192.168.9.0
              protocol    : 0
              src port    : 0
              dst port    : 0

      Now under the Phase 2 settings, setting the local network to:

      Our internal Network, gives the error above.
      Our LAN and their Cisco does'nt get that detail.
      Our external non FW IP, looks like the tunnell does'nt even start our side.
      The IP address their side that we're too NAT to, and there's and error saying it's not on the pfSense box ( which i'd expect ).

      So eitheir i'm missing something fundamental here or it's unsupported? As the tunnel does'nt come up, i saw no point configuring outbound NAT rules as they would process after the tunnell is up?

      Help much appreciated!

      Cheer's,

      James

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.