• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to NAT packets coming from IPSec interface back to IPSec?

Scheduled Pinned Locked Moved NAT
6 Posts 4 Posters 2.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • X
    Xandir
    last edited by Mar 29, 2017, 3:16 PM

    When I add a rule in section "NAT / Outbound" IPSec interface can be choose. But if choose it, router will ignore this rule. In "States" or "Packet Capture" it is seen that the addresses of connections does not change. And if change the interface IPSec to WAN then addresses change, NAT works correctly. What can be the reason? This is a bug or what?

    Could this be due to the fact that I'm trying to NAT traffic coming from the IPSec interface back in IPSec?

    Or NAT can only be used on physical interfaces, then why IPSec is on the list of choices?
    ipsec.png
    ipsec.png_thumb

    1 Reply Last reply Reply Quote 0
    • I
      isolatedvirus
      last edited by Apr 19, 2017, 3:19 PM

      What exactly are you trying to do?

      If youre trying to NAT all vpn clients to change the source IP to the firewall's IPSEC interface, youd set the source IP range as the IPSEC client DHCP range (or network if its a separate subnet).

      If you can provide a little more detail I'll be better able to answer your questions and assist.

      1 Reply Last reply Reply Quote 0
      • J
        johnkv
        last edited by Apr 27, 2017, 3:04 PM

        I think I'm running into a similar issue.

        So my setup is a tad beyond basic IPSec site-to-site and I think that may be part of the problem.

        Background:
        I'm running a VPN Client (PIA I subscribe to), but successfully have OpenVPN Server running (listening on the regular ISP gateway rather than the PIA interface and routing out the same).

        I have a firewall rule to not use my VPN service when connecting to where my IPSec tunnel is landing.

        I set up an IPSec site-to-site tunnel to an ASA5505.  Tunnel comes up, 0 packets inbound, see the traffic outbound.

        Testing:
        I open up 2 ssh windows, 172.30.15.21 and 172.30.10.21 (.15.0 is ASA side, .10.0 is pfSense).
        tcpdump running on both.
        Ping from pfSense 10.21: see out going packet.  ASA 15.21: tcpdump: receive packet and send reply.  pfSense: 10.21 no reply received.

        Ping from ASA side 10.21: see out going packet.  pfsesne 10.21: no packets received.

        I have the rule on IPSec to allow all.

        I see in the state table the source public ip -> destination public IP :500.  I saw on the wiki to if you see that, to clear it with a nat exemption rule (which I tried, but it keeps coming back).  Tried any/UDP/ESP port 500, all ports, with source without on WAN on IPSec (based on what is in the state table).

        Summary:
        I can trace traffic leaving pfSense, arriving at destination and reply being sent, it never arrives back at pfSense side.  NAT exemption seems to be ignored as it keeps showing up in the state table (shows public IP on both side :500).

        1 Reply Last reply Reply Quote 0
        • I
          isolatedvirus
          last edited by Apr 29, 2017, 5:18 AM

          @johnkv:

          I think I'm running into a similar issue.

          So my setup is a tad beyond basic IPSec site-to-site and I think that may be part of the problem.

          Background:
          I'm running a VPN Client (PIA I subscribe to), but successfully have OpenVPN Server running (listening on the regular ISP gateway rather than the PIA interface and routing out the same).

          I have a firewall rule to not use my VPN service when connecting to where my IPSec tunnel is landing.

          I set up an IPSec site-to-site tunnel to an ASA5505.  Tunnel comes up, 0 packets inbound, see the traffic outbound.

          Testing:
          I open up 2 ssh windows, 172.30.15.21 and 172.30.10.21 (.15.0 is ASA side, .10.0 is pfSense).
          tcpdump running on both.
          Ping from pfSense 10.21: see out going packet.  ASA 15.21: tcpdump: receive packet and send reply.  pfSense: 10.21 no reply received.

          Ping from ASA side 10.21: see out going packet.  pfsesne 10.21: no packets received.

          I have the rule on IPSec to allow all.

          I see in the state table the source public ip -> destination public IP :500.  I saw on the wiki to if you see that, to clear it with a nat exemption rule (which I tried, but it keeps coming back).  Tried any/UDP/ESP port 500, all ports, with source without on WAN on IPSec (based on what is in the state table).

          Summary:
          I can trace traffic leaving pfSense, arriving at destination and reply being sent, it never arrives back at pfSense side.  NAT exemption seems to be ignored as it keeps showing up in the state table (shows public IP on both side :500).

          out of curiosity, do you have your default gateway on pfsense set as the PIA tunnel.
          PFSense as far as i can tell ignores its own PBR, and uses the routing setup in System->Routing

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Apr 29, 2017, 6:27 AM

            Actually, policy routing generally overrides the routing table.

            When traffic enters an interface it is generally subject to:

            Policy routing
            IPsec Traffic Selectors
            Routing table

            What people generally don't understand is that this happens ENTERING an interface. Traffic generated on the firewall itself does not enter an interface and that leaves only the routing table.

            Summary:
            I can trace traffic leaving pfSense, arriving at destination and reply being sent, it never arrives back at pfSense side.  NAT exemption seems to be ignored as it keeps showing up in the state table (shows public IP on both side :500).

            That sounds like a problem at the ASA side.

            I read your description a couple times and couldn't really make sense of it. Might need a pretty picture.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • I
              isolatedvirus
              last edited by Apr 30, 2017, 6:24 PM

              @isolatedvirus:

              PFSense as far as i can tell ignores its own PBR, and uses the routing setup in System->Routing

              @Derelict:

              Traffic generated on the firewall itself does not enter an interface and that leaves only the routing table.

              thanks for confirming.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received