Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec + NAT unable to ping servers.

    Scheduled Pinned Locked Moved IPsec
    10 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bolt
      last edited by

      Here All,

      For the first time i am configuring IPSec and i need a help.

      MY IP is 114.123.230.162 on pfsense WAN.

      My client has suggested to use remote gateway IP 89.x.x.x in phase 1 configuration.

      phase 2 config as follows:
      mode : tunnel
      local network : 192.168.1.105/32
      NAT/BINAT Translation : 114.123.230.162
      remote network : 10.200.0.2/32

      status shows me i have established the connection.
      but i am unable to ping that machine.

      Have i missed something? is my question?

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Why are you entering NAT there? Are they expecting connections only from 114.123.230.162?

        In their phase 2 are they:

        Local network: 10.200.0.2/32
        Remote network: 114.123.230.162/32
        ?

        In general, the outside tunnel (phase 1) is established using outside, real WAN IP addresses.

        The inside tunnel is established between inside, LAN addresses.

        https://doc.pfsense.org/index.php/VPN_Capability_IPsec

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B Offline
          bolt
          last edited by

          Yes, They are expecting connections from 114.123.230.162.

          I don't know about there configurations. But they use CISCO ASA .

          Yes , I had gone through the configuration documents.

          And i was told to NAT the public IP for phase 2 configurations.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            If it was me I would packet capture on IPsec and ping across. If they are going out and nothing coming back they have something screwed up at the other end.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B Offline
              bolt
              last edited by

              So you say if i am establishing connection with the other site,  my configuration for IPSec are correct.

              And i should further inspect the icmp packets?

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                From what you say, yes, it appears to be correct. Is your Phase 2 entry showing as Up in Status > IPsec??

                I would just verify that the pings are, in fact, going out IPsec and whether or not replies are being returned.

                Note that there is an idiosyncrasy in packet capturing on IPsec with a NAT. The local address will not yet be translated in the capture. NAT will still be occurring. I can't recall if that is just outbound, just inbound, or in both directions. Probably both.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • B Offline
                  bolt
                  last edited by

                  This are some details if you can help.

                  Yes the Status > IPSec shows its up in phase 2 entry.

                  sorry for the order.

                  ![Screenshot from 2017-06-15 14:39:08.png](/public/imported_attachments/1/Screenshot from 2017-06-15 14:39:08.png)
                  ![Screenshot from 2017-06-15 14:39:08.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 14:39:08.png_thumb)
                  ![Screenshot from 2017-06-15 14:37:59.png](/public/imported_attachments/1/Screenshot from 2017-06-15 14:37:59.png)
                  ![Screenshot from 2017-06-15 14:37:59.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 14:37:59.png_thumb)
                  ![Screenshot from 2017-06-15 14:37:50.png](/public/imported_attachments/1/Screenshot from 2017-06-15 14:37:50.png)
                  ![Screenshot from 2017-06-15 14:37:50.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 14:37:50.png_thumb)
                  ![Screenshot from 2017-06-15 14:38:34.png](/public/imported_attachments/1/Screenshot from 2017-06-15 14:38:34.png)
                  ![Screenshot from 2017-06-15 14:38:34.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 14:38:34.png_thumb)
                  ![Screenshot from 2017-06-15 14:36:20.png](/public/imported_attachments/1/Screenshot from 2017-06-15 14:36:20.png)
                  ![Screenshot from 2017-06-15 14:36:20.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 14:36:20.png_thumb)

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    That all looks fine. Not sure what those IKE and NAT-T rules on OPT1 are for.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • B Offline
                      bolt
                      last edited by

                      This are the packet capture attached.

                      I see that packets are been successfully send to the other end but no replies are been seen from them.

                      Thanks Derelict , You made me trust again on PFSense to  support you gave me. KUDOS!!!!

                      ![Screenshot from 2017-06-15 15:26:29.png](/public/imported_attachments/1/Screenshot from 2017-06-15 15:26:29.png)
                      ![Screenshot from 2017-06-15 15:26:29.png_thumb](/public/imported_attachments/1/Screenshot from 2017-06-15 15:26:29.png_thumb)
                      packetcapture.txt

                      1 Reply Last reply Reply Quote 0
                      • DerelictD Offline
                        Derelict LAYER 8 Netgate
                        last edited by

                        Glad to help. That should give you at least something to show the other side.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.