ipsec tunnel with nat at 1 site
-
Hello,
I have the following issue with a Site-to-Site VPN Tunnel
2 sites have hardware based PfSense boxes with version 2.4.4 (up-to-date)
Site A:
WAN IP: 10.0.0.2 (between modem and WANport of Pfsense is a router/firewall from the ISP; which does int static NAT 10.0.0.2 and has IP 10.0.0.1 at it's LANport)
LAN IP 1: 192.168.10.14 (for LAN) - with DHCP (192.168.10.2 - 192.168.10.254) named LAN
LAN IP 2: 192.168.11.14 (for voice) - no DHCP; done by another device (PBX)- named VOICE
Site B:
WAN IP: xxx.xxx.xxx.xxx (direct IP from modem)
LAN IP: 192.168.50.14 (for LAN) - with DHCP (192.168.50.16 - 192.168.50.59) - named LAN
LAN IP 2: 192.168.51.14 (for VOICE) - with DHCP (192.168.51.50 - 192.168.51.149) - named VOICE
IPSEC SETTTINGS
Site A
Phase 1
Ike V2
IPv4
Interface WAN
Remote Gateway: WAN IP of Pfsense WAN port (directly on modem)
P1 Protocol AES256-GCM (128 bits)
P1 Transform SHA512
P1 DH-Group: 16 (4096)
Mutual PSK set and checked
My Identifier: IP address: manually set to WAN IP of Router/Firewall of ISP site B
Peer Identifier: IP address: manually set to WAN IP of PFsense WAN port
DPD enabled
Phase 2
Mode tunnel
Local network | type: network | address: 192.168.11.0/23
NAT/BINAT translation | type: address | address: 10.0.0.2
Remote network | type: network | address: 192.168.51.0/23
P2 Protocol ESP
P2 Transforms AES256-CGM (128 bits)
P2 Auth SHA256
Site B
Phase 1
Ike V2
IPv4
Interface WAN
Remote Gateway: WAN IP of Router/Firewall of ISP
P1 Protocol AES256-GCM (128 bits)
P1 Transform SHA512
P1 DH-Group: 16 (4096)
Mutual PSK set and checked
My Identifier: My IP address
Peer Identifier: Peer IP address
DPD enabled
Phase 2
Mode tunnel
Local network | type: network | address: 192.168.51.0/23
NAT/BINAT translation | none
Remote network | type: network | address: 192.168.11.0/23
P2 Protocol ESP
P2 Transforms AES256-CGM (128 bits)
P2 Auth SHA256
In the IPsec overview I see
con2000: #4 brandytoflex WANIP-SITEB WANIP-SITEB WANIP-ATISPMODEM-SITEA WANIP-ATISPMODEM-SITEA NAT-T IKEv2
initiator 23970 seconds (06:39:30) AES_GCM_16 PRF_HMAC_SHA2_512 MODP_4096 ESTABLISHED 3518 seconds (00:58:38) ago
In the firewall I made a rule on the IP sec page
To allow any traffic from any source at any port going to any destination on any gateway
BUT; when I try to ping from a computer in the network of Site A to a server in the network of Site B; the package is lost; however I see in the logs of the pfsense in the IPsec page:
14[NET] <con2000|4> received packet: from WANIP-ATISPMODEM-SITEA[4500] to WANIP-SITEB[4500] (57 bytes)
14[NET] <con2000|4> sending packet: from WANIP-SITEB[4500] to WANIP-ATISPMODEM-SITEA[4500] (57 bytes)
THE Question:
What am I doing wrong; because now there is no traffic possible (no ping, no voice, anything) between site A and B -
@godfried84 said in ipsec tunnel with nat at 1 site:
Site A
Phase 1
My Identifier: IP address: manually set to WAN IP of Router/Firewall of ISP site BWhy would you set my identifier to be the IP address of the other side?