Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec with NAT

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jleandro
      last edited by

      Hi Everybody,

      I have a pfsense server with 2 ipsec VPNs working fine.
      But, last days I'm in trouble, 'cause the third Vpn doesn't work, correcting: work with no NAT.
      Trying NAT Outbound or nat 1:1 the ipsec don't create the tunnels.
      And reading some topics I saw "the pfSense 2.1 with NAT before ipSec".
      The versions before this, doesn't make NAT ? Version 2.03 doesn't make nat ?

      My pfSense version is: 2.0.3-RELEASE (i386)

      Thanks a Lot.

      Jeff

      jleandro.
      –---------

      1 Reply Last reply Reply Quote 0
      • J
        jleandro
        last edited by

        Hi,
        I updated the version of my pfsense to the 2.1.
        But the problem persist.
        The LAN IP is 192.168.a.b/24
        and the ipsec tunnel is:
        10.x.y.z/27 - > 200.x.y.0/24
        10.x.y.z/27 - > 200.x.z.0/24
        10.x.y.z/27 - > 177.x.y.0/24
        10.x.y.z/27 - > 177.x.z.0/24

        So, the host 192.168.a.b/32 need to be NATed to 10.x.y.z/32 to reach the host (any) at 200.x.y.z/32
        If I put the address 10.x.y.z/255.255.255.224 at the if of the workstation works fine (phase1 and phase2, and I can access the remote host)

        But accessing from 192.168.a.b/32 doesn't.

        I've created NAT like this:
        source 192.168.a.b/24 - dest 200.x.y.0/24 if ipSec - translation 10.x.y.65 (virtual ip, from the 10.x.y.z/27)
        and
        source 192.168.a.b/24 - dest 200.x.y.0/24 if LAN - translation 10.x.y.65 (virtual ip, from the 10.x.y.z/27)
        Of course, I put in the routing the ip 10.x.y.65 as a gateway.

        With this config of NAT the tunnel don't start.

        Someone have some tip, or can see what is wrong ?
        I think there is an error in config, but I can't see how to do the NAT in the if LAN before to ipSec…

        I hope you understand my explain.

        Thanks a lot

        jleandro.
        –---------

        1 Reply Last reply Reply Quote 0
        • D
          dimmon
          last edited by

          I have a similar problem.
          My LAN subnet is 10.20.30.0/24
          gateway is: pfsense 2.1-RELEASE
          local gateway ip is: 10.20.30.40
          remote ipsec gateway ip is: 216.200.x.1

          I had already configured ipsec tunnel phase1: WAN <-> 216.200.x.1
          phase2: 10.20.30.40 <-> 216.200.x.5
          Status is up.
          But I can`t ping 216.200.x.5. Traceroute traffic goes through my WAN (Internet), but not through ipsec tunnel. I tried a lot of configuration options, but the result is bad.

          1. What is my mistake?
          2. How can I access 216.200.x.5 from local ip e.g. 10.20.30.2?

          Please help me!

          1 Reply Last reply Reply Quote 0
          • C
            corradolab
            last edited by

            dimmon,

            looks like your remote gateway and remote lan are on the same network (ie 216.200.x.0/24).
            Another strange thing is the remote host you want to connect to is a public IP (216.200.x.5) which you could connect to directly without IPSEC.

            I think your setup should be something like this

              local_lan   <-->  local_gw    pfsense  local_public_ip  <--> remote_public_ip  remote_router  remote_gw  <--> remote_lan
10.20.30.0/24      10.20.30.40             ?.?.?.?               216.200.x.1                     x.x.x.x        x.x.x.0/24
            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.