NAT over routed VTI

under_tow

Hello

I am having similar issue, to this post below with no responses, have this working with other router vendors, JunOS, iOS, etc.:
https://forum.netgate.com/topic/143038/alternate-address-nat-for-ipsec-vti

I am trying outbound NATing to the VTI address, some more info:

Side A, Openswan:
Public: 1.1.1.1
LAN: 10.6.0.0/24

Side B pfSense:
Public: 2.2.2.2
LAN: 192.168.1.0/24
vti local: 10.6.0.2/24
vti remote: 10.6.0.1/24

IPSEC SA phase1/2 come up with no issues, vti interfaces can ping each other, but I cannot get traffic from pfsense LAN 192.168.1.0/24 to NAT to vti interface 10.6.0.2 and go over the tunnel. Tried outbound NAT, different firewall rules, have not added any routes, as that should not be necessary. Long story but the setup requires the private LANs NAT to the VTI interface, to connect to device on the remote side.

Any ideas? Has anyone got NAT working on VTI?

Thanks

Derelict

Based on what you are posting, the VTI addresses should be distinct from the Side A LAN and over those you should route to 10.6.0.0/24.

At a minimum I would expect you would need a route for 10.6.0.0/24 to 10.6.0.1.

under_tow

Just an update, appears that the outbound NAT with routed VTI interface is working properly to get NAT'd packets to the remote side(confirmed with tcpdump), but the return packets seem to be dropped by hidden unlabelled default deny pfSense firewall rules(don't appear in the GUI). So I suspect that additional iptables config will be necessary, or more development on the build.

Derelict

well since pfSense does not use iptables I don't know what you're referring to in this context.

packet capture at each hop and determine where the breakdown is.

gabacho4

@under_tow I reported this back in March. https://forum.netgate.com/topic/141613/can-i-route-internet-traffic-from-site-b-through-site-a-via-ipsec-vti

Unfortunately no resolution that I'm aware of.

under_tow

@Derelict Is there a way to look at the firewall rules from cli and add/delete/edited them, not very familiar with pfSense, so just assumed it was iptables.

Thanks

@Derelict said in NAT over routed VTI:

well since pfSense does not use iptables I don't know what you're referring to in this context.

packet capture at each hop and determine where the breakdown is.

under_tow

@ngoehring123 said in NAT over routed VTI:

@under_tow I reported this back in March. https://forum.netgate.com/topic/141613/can-i-route-internet-traffic-from-site-b-through-site-a-via-ipsec-vti

Unfortunately no resolution that I'm aware of.

Thanks, similar issues, GRE over IPSEC could work, but too many changes in our application for that for now.