Siste-to-Site VPN with source NAT



  • Hi there community.

    Looking for some assistance on getting traffic pass between a pfsense and a Juniper.
    The Site-to-Site tunnel is up and running and I was able to ping from one side of the tunnel to the other.
    After implementing Source-NAT I am unable to get across the VPN and ping the other site.

    pfsense Configuration PH1:
    Mutual PSK
    Mode Main
    Preshare Key Preshared
    AES128
    SHA1
    DH group 2
    NAT Traversal Auto

    Configuration PH2:
    Tunnel IPv4
    Local Net 10.19.20.0/22
    NAT/BITNAT 10.3.8.0/22
    Remote Net 10.3.8.0/22
    AES128
    SHA1
    PFS off

    FW Rules
    eth2_LAN * * * * none

    IPsec
    eth2_LAN TCP/UDP * 10.3.8.0/22 * * none
    eth2_LAN ICMP      * 10.3.8.0/22 * * none
    10.3.8.0/22 TCP/UDP * * eth2_LAN * * none
    10.3.8.0/22 ICMP * * eth2_LAN * * none

    NAT Rules:
    Outbound: Mode AON
    1:1 IPsec 10.3.8.20/22 10.19.20.0/22 *

    Other side configuration:
    PH 1
    Remote GW: Host_IP_Address
    pre-g2-aes1128-sha

    PH 2
    Tunnel IPv4
    nopfs-esp-aes128-sha
    Proxy ID Trust-Trust 10.19.20.0/22-10.3.8.0/22

    I have attached a small diagram for more details.
    Thank you in advance for your assistance.



  • Anyone??



  • I think I have the same issue as you, and figured out the problem and a semi-workaround.

    Bug/Issue with NAT 1:1 rule operation on IPsec interface
    https://forum.pfsense.org/index.php?topic=126289.0


Log in to reply