IPSEC NAT/Binat with routed subnets not Natting or passing traffic
-
Currently running PFSense 2.2.4 on this hardware.
This Router sits in our Rack and has multiple sites come into it for routing and ACL Purposes, We will call this GW1
Have a Cisco Layer 3 switch performing multiple Site to Site and Intervlan routing. We will call this the p2p core switch, it has each sites subnet assigned to each interface directly.
I will use fictitious IPs and a scaled down answers to protect our internal and external subnets on answers.Know everything is working except the routed sites to the ipsec nat/binat tunnel.
We have a private p2p circuit that connects sites together in the p2p core switch. That switch has multiple interfaces with IPs assigned to each address space.
We have a default route that goes to a primary router for internet and static routes to send specific traffic to the racks GW1
In GW1 We have Routes configured with each sites address space that uses the p2p core interface IP to send the traffic back.Recently configured a IPSEC NAT Tunnel for partner Access to a citrix netscaler for vm access. from my LAN the IPSEC NAT works and the net scaler site loads and in the states table I see my LAN and IPSEC listed showing my address the NAT public address and the netscaler address.
When I try to bring up the citrix site from one of the outside sites over the p2p core I do not get the site to load. I do see the site appear in the IPSEC Status page showing its local subnet. So I know the data is getting to the GW1 and having the tunnel get built. However that is all. When checking the Stats I only see SYN messages for that from and to and a disconnect.I had this setup in our ADTRAN exactly as it sits before, however the ADTRAN we had was under powered for our site to site bandwidth. It has a limit of 25 Mbps through put for bandwidth. This was also confirmed by Adtran.
Plus I really enjoy the PFSense OS and feature set. It is well thought out. However I wonder if I am hitting a limitation of the IPSEC in this version. Though I cannot image I am.I do have a spare PFSense unit I can put out there to remove the Layer3 switch however I do not see how this would change anything since all site to site traffic is working as it should. I wonder if it is due to the Address space being routed vs assigned on an interface directly.
Hopefully someone will know the answer to this, may have to request a po to purcahse PFSense support, however would hate to spend $400 to find out its a feature limitation.
-
Probably need a diagram with all of the subnets, routes, and host addresses noted for this particular traffic flow. Detailed phase 2 info on both sides including the NAT/BINAT, etc.
-
Got it solved.
Ended up being a configuration in the Traffic Shaper.
I had HFSC configured on all the interfaces. However after adding the new interface I did not copy the settings into the new interface.
I clicked the remove shaper and the second that happened all traffic was flowing correctly.
I then did the Multi all wizard and at that time it wouldnt compelte without throwing an error about a speed mismatch. This particular interface is 100MB however the WAN interface has a lot more. This was the only thing I could see as the issue. After some TLC the shaper is back in without errors and traffic is still flowing.I have seen this before on other HFSC implementation either from an interface being added, or upgrade causing traffic to just stop being passed, even if the rule has no queues being set the matched traffic just doesnt work.
Anyway.
If your reading this and have HFSC setup and seeing a similair issue. Go ahead and remove it to see if that corrects it. you'll likely find the issue when you attempt to run the wizard again as it will likely not complete and load the rules without an error, at least in my case that was it.As for the setup.
There is a LAN Core onsite at teh main office that detours specific matching traffic to the P2P Core that is in a rack at a datacenter offsite. That P2P core will either send the traffic to one of the multiple sites or to the Interface on the PFSENSE FW in the DataCenter. This was the FW we experienced the problem from. (Cores are Layer 3 switches performing Routing functions for sites or intervlan traffic)