Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Asymmetric routing problem with 1:1 NAT and IPSEC VPN

    Scheduled Pinned Locked Moved IPsec
    7 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slatt
      last edited by

      Hello,
      I'm having trouble using 1:1 NAT with an IPSEC VPN. My setup is the following:

      • The VPN's phase 2 is 10.0.44.0/25 (remote) / 10.0.44.128/25 (local)

      • I Configured a 1:1 NAT from 10.0.44.129 to a LAN IP: 192.168.xx

      When I ping 10.0.44.129 from the remote side of the VPN, I can see that the packet arrives on the LAN interface and is sent to the 192.168.xx server which replies to me (10.0.44.1).
      However, this packet is then sent to the WAN interface instead of the IPSEC one, as I noticed using tcpdump.

      Is that an expected behaviour? What can I do to fix this?

      I'm running pfSense 2.2.4.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Their phase 2 should be: 10.0.44.0/25 (them) / 10.0.44.128/25 (you)

        Your phase 2 should be: 192.168.xx (you) / 10.0.44.0/25 (them)

        I'm running pfSense 2.2.4.

        You should seriously consider upgrading.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          slatt
          last edited by

          The thing is I want to be able to NAT several addresses to different networks without having to create a separate phase 2 for them. Is that not possible?
          As for the update, I've been meaning to do it it but I haven't had an opportunity to schedule it yet…

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            The thing is I want to be able to NAT several addresses to different networks without having to create a separate phase 2 for them. Is that not possible?

            Probably not but without some examples of what you want to do that's kind of a guess.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              slatt
              last edited by

              Well I'd like to have 10.0.44.129 pointing to 192.168.10.1 in VLAN 10 and 10.0.44.130.11.1 pointing to 192.168.11.1 in VLAN 11, is that possible?
              I don't want to add a phase 2 for 192.168.10.0/24 and one for 192.168.11.0/24 since I would like to avoid creating many phase 2.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                You will need a phase 2 or IPsec will not be interested in traffic from 192.168.11.1.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • S
                  slatt
                  last edited by

                  How come I can do that on Fortinet for instance? I just create my IPSEC VPN with the 10.0.44.128/25 P2 and a VIP 10.0.44.129, make it point to an IP from any local network and it works.
                  Is this behaviour non-standard? I guess I could use OpenVPN instead, right?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.