NAT before IPSec
-
Hello,
I just succeed configuring NAT before IPSec.
I can send you my setup if you want.
;)Vononka
-
I mislabeled site A as C in that explanation. Sorry. I guess you figured it out anyway.
-
HiVononka,
I have the same problem im my office. Site A and site B have the same network address. Could you help me sending your configuration. I'm using 2.1 pfsense release.
Thanks in advance.
-
Hi,
1 - Create a virtual IP address on both firewall (192.168.1.0 for 10.10.1.0/24 and 10.10.10.0/24 to 192.168.10.0/24)
2 - Go to VPN> IPsec menu. After you have configured phase 1, create the negotiation phase2.
3- Restart racoon
4 - insert a route on the pc (eg route add-net 10.10.10.0/24 gw YOUR_GW)Vononka
-
Thanks a Lot.
I'll try this configuration.
Thanks.
-
Hi Vononka,
Did you have to set 1:1 or Outbound Nat configuration?
When you send a package from Site A to Site B, what is the src ip when this package arrive at site B host?
I'm sorry for my english.
-
Hi,
No, but the subnet 192.168.1.0/24 is nated to 10.10.1.0/24 and 192.168.10.0/24 in 10.10.10/24.
the virtual IP and the subnet must have the same netmask.Vononka
-
Thanks a lot.
I'll try this configuration today. After all I'll send news.Thanks.
-
Hi,
I've tried setup configuration as sugested, but this didn't work :'(.
My B side is a ipcop firewall and I tried establish vpn connection with site A using as remote address 172.16.24.0/24. On A site I configured Local Network wih 192.168.1.0/24 and Nat/BitNat with 172.16.24.0/24.
On B site, the vpn status is Ok, but on PfSense (Site A) the VPN connection is down, although there are logs registering connection established.
I'm attaching my actual configuration and log files on both sites. Does anyone has any idea why my Site A (192.168.1.0) package does not arrive at site B (10.1.1.0) with 172.168.24.0 address?
Thanks a lot for help me.
-
What about your configuration between Site A and Site C? Did you establish connection?
In your original post you described that site A and Site C have the same CIDR. In this case did you have to Nat your Site A address to arive in site C with other network address?I'm sorry for the inconvenience.
-
Hello,
I succeed establish NAT before IPSec on Both sides.
I think the problem is with IPCOP. When I configure IPSEC VPN between 2 pfsenses (Site A 2.1 and site B 2.0.3), vpn works fine and all packages sent by site A arrives at Site B with 172.16.24.0 address. I'll check IPCOP documentation.
Thanks everyone for help me.
-
Hello,
I succeed establish NAT before IPSec on Both sides without problem. :D
The problem was on my IPCOP on Site B. My firewall established connection on SonicWall using Nat Over Ipsec.
Thanks everyone for help me.
-
On your VIP you create, I assume you used a Localhost IP Alias?
-
You shouldn't need to create VIPs or routes. You can set the NAT network directly in your phase2.
-
Understood dotdash but Andry Vononka states he created a VIP and I was curious on that point. I am trying to do this with NAT to NAT on two externals and was curious if he used the VIP to point the traffic. I understand it 'SHOULD' work they way you stated and I agree but it's not. When I originate traffic from the internal network pointing to the IP of the local network on the other side of the tunnel, which is also a NAT'd external address it doesn't send the traffic down the tunnel. This is what it looks like….
Customer Server 10.200.1.122 (I do not use this as they NAT everything to 1.1.1.98)
Customer NAT 1.1.1.98 (assume internet routable IP)
Customer Gateway 1.1.2.241 (assume internet routable IP)
My Gateway 2.2.2.34 (assume internet routable IP)
My NAT 2.2.2.50 (assume internet routable IP)
My Server 192.168.20.67 (Customer does not see this address as I NAT everything to 2.2.2.50The tunnel comes up just fine but can't seem to get traffic to route from 192.168.20.67 to 1.1.1.98 as I should be able to. Note when it arrives on 1.1.1.98 it should look like it's coming from 2.2.2.50 via the NAT from out side.
Any help is welcome in advance, thanks!
-
Does the partner require you to nat to a public ip? I usually use this where there are overlapping subnets and use a different private. e.g. 192.168.1.0/24 real lan nat network 10.4.5.0/24 (the other side sees the 10.4.5 instead of 192.168.1)
-
I used with network address only. Eg. 192.168.10.0/24 to 192.168.5.0/24.
