IPSec + NAT unable to ping servers.

bolt

Here All,

For the first time i am configuring IPSec and i need a help.

MY IP is 114.123.230.162 on pfsense WAN.

My client has suggested to use remote gateway IP 89.x.x.x in phase 1 configuration.

phase 2 config as follows:
mode : tunnel
local network : 192.168.1.105/32
NAT/BINAT Translation : 114.123.230.162
remote network : 10.200.0.2/32

status shows me i have established the connection.
but i am unable to ping that machine.

Have i missed something? is my question?

Derelict

Why are you entering NAT there? Are they expecting connections only from 114.123.230.162?

In their phase 2 are they:

Local network: 10.200.0.2/32
Remote network: 114.123.230.162/32
?

In general, the outside tunnel (phase 1) is established using outside, real WAN IP addresses.

The inside tunnel is established between inside, LAN addresses.

https://doc.pfsense.org/index.php/VPN_Capability_IPsec

bolt

Yes, They are expecting connections from 114.123.230.162.

I don't know about there configurations. But they use CISCO ASA .

Yes , I had gone through the configuration documents.

And i was told to NAT the public IP for phase 2 configurations.

Derelict

If it was me I would packet capture on IPsec and ping across. If they are going out and nothing coming back they have something screwed up at the other end.

bolt

So you say if i am establishing connection with the other site, my configuration for IPSec are correct.

And i should further inspect the icmp packets?

Derelict

From what you say, yes, it appears to be correct. Is your Phase 2 entry showing as Up in Status > IPsec??

I would just verify that the pings are, in fact, going out IPsec and whether or not replies are being returned.

Note that there is an idiosyncrasy in packet capturing on IPsec with a NAT. The local address will not yet be translated in the capture. NAT will still be occurring. I can't recall if that is just outbound, just inbound, or in both directions. Probably both.

bolt

This are some details if you can help.

Yes the Status > IPSec shows its up in phase 2 entry.

sorry for the order.

![Screenshot from 2017-06-15 14:39:08.png](/public/imported_attachments/1/Screenshot from 2017-06-15 14:39:08.png)
![Screenshot from 2017-06-15 14:39:08.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 14:39:08.png_thumb)
![Screenshot from 2017-06-15 14:37:59.png](/public/imported_attachments/1/Screenshot from 2017-06-15 14:37:59.png)
![Screenshot from 2017-06-15 14:37:59.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 14:37:59.png_thumb)
![Screenshot from 2017-06-15 14:37:50.png](/public/imported_attachments/1/Screenshot from 2017-06-15 14:37:50.png)
![Screenshot from 2017-06-15 14:37:50.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 14:37:50.png_thumb)
![Screenshot from 2017-06-15 14:38:34.png](/public/imported_attachments/1/Screenshot from 2017-06-15 14:38:34.png)
![Screenshot from 2017-06-15 14:38:34.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 14:38:34.png_thumb)
![Screenshot from 2017-06-15 14:36:20.png](/public/imported_attachments/1/Screenshot from 2017-06-15 14:36:20.png)
![Screenshot from 2017-06-15 14:36:20.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 14:36:20.png_thumb)

Derelict

That all looks fine. Not sure what those IKE and NAT-T rules on OPT1 are for.

bolt

This are the packet capture attached.

I see that packets are been successfully send to the other end but no replies are been seen from them.

Thanks Derelict , You made me trust again on PFSense to support you gave me. KUDOS!!!!

![Screenshot from 2017-06-15 15:26:29.png](/public/imported_attachments/1/Screenshot from 2017-06-15 15:26:29.png)
![Screenshot from 2017-06-15 15:26:29.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 15:26:29.png_thumb)
packetcapture.txt

Derelict

Glad to help. That should give you at least something to show the other side.