Ipsec behind 1:1 NAT?

OKsteve

I am trying to set up an ipsec connection between 2 PFsense boxes. In my test lab, if I use a WAN IP at each end it works, so I feel reasonably sure config is correct. However, my real scenario has at one end, a 1:1 WAN to static private IP, then, our router uses the static private IP as the WAN, and a different private range for the internal network. I am able to access internal network using WAN address using other products (SoftEther), but really want to use PFsense. Any suggestions on how to accomplish this?

I just looked at Ipsec logs for last connection attempt, and maybe they would help someone...

Jun 14 22:24:16 charon 06[CFG] vici client 82 connected
Jun 14 22:24:16 charon 08[CFG] vici client 82 registered for: list-sa
Jun 14 22:24:16 charon 06[CFG] vici client 82 requests: list-sas
Jun 14 22:24:16 charon 06[CFG] vici client 82 disconnected
Jun 14 22:24:18 charon 16[CFG] received stroke: terminate 'con1000'
Jun 14 22:24:18 charon 16[CFG] no IKE_SA named 'con1000' found
Jun 14 22:24:18 charon 13[CFG] received stroke: initiate 'con1000'
Jun 14 22:24:18 charon 16[IKE] <con1000|10> queueing ISAKMP_VENDOR task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> queueing ISAKMP_CERT_PRE task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> queueing MAIN_MODE task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> queueing ISAKMP_CERT_POST task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> queueing ISAKMP_NATD task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> queueing QUICK_MODE task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> activating new tasks
Jun 14 22:24:18 charon 16[IKE] <con1000|10> activating ISAKMP_VENDOR task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> activating ISAKMP_CERT_PRE task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> activating MAIN_MODE task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> activating ISAKMP_CERT_POST task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> activating ISAKMP_NATD task
Jun 14 22:24:18 charon 16[IKE] <con1000|10> sending XAuth vendor ID
Jun 14 22:24:18 charon 16[IKE] <con1000|10> sending DPD vendor ID
Jun 14 22:24:18 charon 16[IKE] <con1000|10> sending FRAGMENTATION vendor ID
Jun 14 22:24:18 charon 16[IKE] <con1000|10> sending NAT-T (RFC 3947) vendor ID
Jun 14 22:24:18 charon 16[IKE] <con1000|10> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 14 22:24:18 charon 16[IKE] <con1000|10> initiating Main Mode IKE_SA con1000[10] to 164.58.107.86
Jun 14 22:24:18 charon 16[IKE] <con1000|10> IKE_SA con1000[10] state change: CREATED => CONNECTING
Jun 14 22:24:18 charon 16[CFG] <con1000|10> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Jun 14 22:24:18 charon 16[ENC] <con1000|10> generating ID_PROT request 0 [ SA V V V V V ]
Jun 14 22:24:18 charon 16[NET] <con1000|10> sending packet: from 199.85.82.76[500] to 164.58.107.86[500] (180 bytes)
Jun 14 22:24:18 charon 16[NET] <con1000|10> received packet: from 164.58.107.86[500] to 199.85.82.76[500] (40 bytes)
Jun 14 22:24:18 charon 16[ENC] <con1000|10> parsed INFORMATIONAL_V1 request 680238804 [ N(NO_PROP) ]
Jun 14 22:24:18 charon 16[IKE] <con1000|10> received NO_PROPOSAL_CHOSEN error notify
Jun 14 22:24:18 charon 16[IKE] <con1000|10> IKE_SA con1000[10] state change: CONNECTING => DESTROYING
Jun 14 22:24:19 charon 15[CFG] vici client 83 connected
Jun 14 22:24:19 charon 16[CFG] vici client 83 registered for: list-sa
Jun 14 22:24:19 charon 15[CFG] vici client 83 requests: list-sas
Jun 14 22:24:19 charon 15[CFG] vici client 83 disconnected
Jun 14 22:24:24 charon 07[CFG] vici client 84 connected
Jun 14 22:24:24 charon 07[CFG] vici client 84 registered for: list-sa
Jun 14 22:24:24 charon 07[CFG] vici client 84 requests: list-sas
Jun 14 22:24:24 charon 07[CFG] vici client 84 disconnected