NAT 1:1 and IPsec
-
Hi
I have established successfully a S2S IPsec tunnel between 2 sites 192.168.2.0/24 & 10.5.23.0/24. I would like to access 10.5.35.0/24 without creating a new P2 entry in both routers as this network can be duplicated on different sites(subnet overlap) my idea was to do nat 1.1 10.5.23.x over 10.5.35.x.(see schematic)
The ping command from remote network to server 10.5.35.100 returns:
17:14:15.809601 IP 192.168.2.112 > 10.5.35.100: ICMP echo request, id 1, seq 14418, length 40
17:14:15.809805 IP 10.5.35.100 > 192.168.2.112: ICMP echo reply, id 1, seq 14418, length 40
So the NAT is working but where i got it wrong it is i cannot redirect traffic to 192.168.2.0/24
Here is the traffic on IPSEC interface on PFsense2 and 10.5.23.221 is the NAT address of 10.5.35.100:17:05:15.809101 (authentic,confidential): SPI 0xc4ec4794: IP 192.168.2.112 > 10.5.23.221: ICMP echo request, id 1, seq 14310, length 40
17:05:20.808231 (authentic,confidential): SPI 0xc4ec4794: IP 192.168.2.112 > 10.5.23.221: ICMP echo request, id 1, seq 14311, length 40Without doing any routing the packet are redirected to the WAN interface which is not right:
17:17:25.811657 IP 10.5.23.221 > 192.168.2.112: ICMP echo reply, id 1, seq 14456, length 40
17:17:30.810527 IP 10.5.23.221 > 192.168.2.112: ICMP echo reply, id 1, seq 14457, length 40Is there a way to force 192.168.2.0/24 to use the IPSEC tunnel. This is a working scenario as i have used it many times with another well-known brand.
Does anybody had a similar configuration that could me give advice?Thanks
-
Answer
Use a new 10.6.23.0/24 subnet for this site.
-
Then add a new P2 at the main site for 192.168.2.0/24 to 10.6.23.0/24.
-
At the remote site add a new P2 for 10.5.35.0/24 to 192.168.2.0/24 and add the NAT address field to 10.6.23.0/24.
The 1:1 NAT setting is no longer required as route-based IPsec is not supported in FreeBSD 10(pfSense 2.3.4) hopefully in 2.5.
Thanks to pfSense support that gave me this valuable information.
https://www.netgate.com/blog/pfsense-2-5-and-aes-ni.html -