How to NAT packets coming from IPSec interface back to IPSec?

Xandir

When I add a rule in section "NAT / Outbound" IPSec interface can be choose. But if choose it, router will ignore this rule. In "States" or "Packet Capture" it is seen that the addresses of connections does not change. And if change the interface IPSec to WAN then addresses change, NAT works correctly. What can be the reason? This is a bug or what?

Could this be due to the fact that I'm trying to NAT traffic coming from the IPSec interface back in IPSec?

Or NAT can only be used on physical interfaces, then why IPSec is on the list of choices?

isolatedvirus

What exactly are you trying to do?

If youre trying to NAT all vpn clients to change the source IP to the firewall's IPSEC interface, youd set the source IP range as the IPSEC client DHCP range (or network if its a separate subnet).

If you can provide a little more detail I'll be better able to answer your questions and assist.

johnkv

I think I'm running into a similar issue.

So my setup is a tad beyond basic IPSec site-to-site and I think that may be part of the problem.

Background:
I'm running a VPN Client (PIA I subscribe to), but successfully have OpenVPN Server running (listening on the regular ISP gateway rather than the PIA interface and routing out the same).

I have a firewall rule to not use my VPN service when connecting to where my IPSec tunnel is landing.

I set up an IPSec site-to-site tunnel to an ASA5505.  Tunnel comes up, 0 packets inbound, see the traffic outbound.

Testing:
I open up 2 ssh windows, 172.30.15.21 and 172.30.10.21 (.15.0 is ASA side, .10.0 is pfSense).
tcpdump running on both.
Ping from pfSense 10.21: see out going packet.  ASA 15.21: tcpdump: receive packet and send reply.  pfSense: 10.21 no reply received.

Ping from ASA side 10.21: see out going packet.  pfsesne 10.21: no packets received.

I have the rule on IPSec to allow all.

I see in the state table the source public ip -> destination public IP :500.  I saw on the wiki to if you see that, to clear it with a nat exemption rule (which I tried, but it keeps coming back).  Tried any/UDP/ESP port 500, all ports, with source without on WAN on IPSec (based on what is in the state table).

Summary:
I can trace traffic leaving pfSense, arriving at destination and reply being sent, it never arrives back at pfSense side.  NAT exemption seems to be ignored as it keeps showing up in the state table (shows public IP on both side :500).

isolatedvirus

@johnkv:

I think I'm running into a similar issue.

So my setup is a tad beyond basic IPSec site-to-site and I think that may be part of the problem.

Background:
I'm running a VPN Client (PIA I subscribe to), but successfully have OpenVPN Server running (listening on the regular ISP gateway rather than the PIA interface and routing out the same).

I have a firewall rule to not use my VPN service when connecting to where my IPSec tunnel is landing.

I set up an IPSec site-to-site tunnel to an ASA5505.  Tunnel comes up, 0 packets inbound, see the traffic outbound.

Testing:
I open up 2 ssh windows, 172.30.15.21 and 172.30.10.21 (.15.0 is ASA side, .10.0 is pfSense).
tcpdump running on both.
Ping from pfSense 10.21: see out going packet.  ASA 15.21: tcpdump: receive packet and send reply.  pfSense: 10.21 no reply received.

Ping from ASA side 10.21: see out going packet.  pfsesne 10.21: no packets received.

I have the rule on IPSec to allow all.

I see in the state table the source public ip -> destination public IP :500.  I saw on the wiki to if you see that, to clear it with a nat exemption rule (which I tried, but it keeps coming back).  Tried any/UDP/ESP port 500, all ports, with source without on WAN on IPSec (based on what is in the state table).

Summary:
I can trace traffic leaving pfSense, arriving at destination and reply being sent, it never arrives back at pfSense side.  NAT exemption seems to be ignored as it keeps showing up in the state table (shows public IP on both side :500).

out of curiosity, do you have your default gateway on pfsense set as the PIA tunnel.
PFSense as far as i can tell ignores its own PBR, and uses the routing setup in System->Routing

Derelict

Actually, policy routing generally overrides the routing table.

When traffic enters an interface it is generally subject to:

Policy routing
IPsec Traffic Selectors
Routing table

What people generally don't understand is that this happens ENTERING an interface. Traffic generated on the firewall itself does not enter an interface and that leaves only the routing table.

Summary:
I can trace traffic leaving pfSense, arriving at destination and reply being sent, it never arrives back at pfSense side.  NAT exemption seems to be ignored as it keeps showing up in the state table (shows public IP on both side :500).

That sounds like a problem at the ASA side.

I read your description a couple times and couldn't really make sense of it. Might need a pretty picture.

isolatedvirus

@isolatedvirus:

PFSense as far as i can tell ignores its own PBR, and uses the routing setup in System->Routing

@Derelict:

Traffic generated on the firewall itself does not enter an interface and that leaves only the routing table.

thanks for confirming.