IPsec NAT/BINAT not working



  • Hi,

    my setup is the following:

    Site A:
    Lan: 192.168.100.0/24
    Lan_IP: 192.168.100.1
    Transfer: 10.2.81.0/24
    Transfer_IP: 10.2.81.1

    Site B:
    Lan: 10.2.82.0/24
    Lan_IP: 19.2.82.1

    I'm doing a site-to-site IPsec wich is working. I can ping from both routers (pfsense, juniper) to each other (10.2.81.1 <-> 10.2.82.1) but not from the clients in my LAN (192.168.68.x <-> 10.2.82.x). I'm now trying to setup a Transfer-Net with NAT / BINAT routing:

    Site B should reach the clients on site A via an 10.2.81.x ip-address and not via an 192.168.100.x ip-address. So i want to map 10.2.81.0/24 <-> 192.168.100.0/24.

    First i tried to do this via the NAT/BINAT setting inside the IPsec settings:

    Site A IPsec Phase2

    Local Network: 192.168.100.0/24
    NAT/BINAT translation: 10.2.81.0/24
    Remote Network: 10.2.82.0/24

    That didn't work and i tried the same thing with 1:1 NAT from the Firewall tab:

    Site A

    External subnet IP 10.2.81.0
    Internal IP: 192.168.100.0/24
    Destiantion: 10.2.82.0/24

    No matter which mapping i choose, if i try to ping from 192.168.100.x to 10.2.82.x, pfsense routes the request through the WAN interface instead of the IPsec / Transfer-Net Interface. How can i tell pfsense to route the traffic from my Lan through the IPsec tunnel and do the NAT?

    Thanks
    Greets
    Kilian



  • I've done a litte more testing:

    ICMP from 192.168.100.21 (Site A) -> 10.2.82.20 (Site B)

    pcap from pfsense Site A LAN Interface

    
    10:02:59.789013 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 3085, seq 61312, length 44
    10:02:59.789848 IP 85.236.56.242 > 192.168.100.21: ICMP time exceeded in-transit, length 72
    10:02:59.889335 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 3085, seq 61568, length 44
    10:02:59.904306 IP 85.236.32.141 > 192.168.100.21: ICMP time exceeded in-transit, length 36
    10:02:59.989592 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 3085, seq 61824, length 44
    10:02:59.990534 IP 85.236.56.243 > 192.168.100.21: ICMP time exceeded in-transit, length 72
    
    

    So Traffic is going out trough WAN Interface on the pfsense site. The IPs 85.236.56.24x are from my upstream router.
    Traceroute from Lan shows me more than 10 hops with lots of different public IPs.

    That looks for me like when packets aren't getting to the remote site.

    Next, i setup a static route for the network 10.2.82.0/24 with gateway 10.2.81.1 on Site A:

    Site B 10.2.82.0/24 <- GW Site A 10.2.81.1 <- LAN Site A 192.168.100.0/24

    pcap from pfsense Site A LAN Interface

    
    10:23:02.078077 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 13593, seq 7306, length 44
    10:23:02.078088 IP 192.168.100.1 > 192.168.100.21: ICMP host 10.2.82.20 unreachable, length 36
    10:23:02.203420 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 13593, seq 7562, length 44
    10:23:02.203432 IP 192.168.100.1 > 192.168.100.21: ICMP host 10.2.82.20 unreachable, length 36
    10:23:02.328836 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 13593, seq 7818, length 44
    10:23:02.328862 IP 192.168.100.1 > 192.168.100.21: ICMP host 10.2.82.20 unreachable, length 36
    
    

    I can see the ICMP on the Lan Interface and the response from pfsense Lan GW on Site A that the host is unreachable. Nothing to see on the IPsec interface … looks like traffic isn't routed correct?
    Traceroute from Lan shows me only one hop (pfsense GW).

    However, if i do a ICMP from my pfsense directly (not from a host in my Lan) i can see packets on the IPsec Interface:

    pcap from pfsense Site A IPsec Interface

    
    10:25:37.963386 (authentic,confidential): SPI 0x0bd8d6c6: IP 10.2.81.1 > 10.2.82.20: ICMP echo request, id 24572, seq 2, length 64
    10:25:37.967593 (authentic,confidential): SPI 0xc95b13d7: IP 10.2.82.20 > 10.2.81.1: ICMP echo reply, id 24572, seq 2, length 64
    10:25:38.967416 (authentic,confidential): SPI 0x0bd8d6c6: IP 10.2.81.1 > 10.2.82.20: ICMP echo request, id 24572, seq 3, length 64
    10:25:38.971650 (authentic,confidential): SPI 0xc95b13d7: IP 10.2.82.20 > 10.2.81.1: ICMP echo reply, id 24572, seq 3, length 64
    10:25:39.971444 (authentic,confidential): SPI 0x0bd8d6c6: IP 10.2.81.1 > 10.2.82.20: ICMP echo request, id 24572, seq 4, length 64
    10:25:39.975658 (authentic,confidential): SPI 0xc95b13d7: IP 10.2.82.20 > 10.2.81.1: ICMP echo reply, id 24572, seq 4, length 64
    
    

    So if i try to ping from my pfsense directly the route works and traffic is passed through IPsec. If i try from my Lan, i can see ICMP packets on the Lan interface but not on the IPsec interface …



  • I tried many different things … for simplicity i reverted back to the original settings. For better understanding i added some screenshots from my basic settings.

    ![Bildschirmfoto 2017-08-24 um 09.32.21.png](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.32.21.png)
    ![Bildschirmfoto 2017-08-24 um 09.32.21.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.32.21.png_thumb)
    ![Bildschirmfoto 2017-08-24 um 09.32.05.png](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.32.05.png)
    ![Bildschirmfoto 2017-08-24 um 09.32.05.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.32.05.png_thumb)
    ![Bildschirmfoto 2017-08-24 um 09.31.31.png](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.31.31.png)
    ![Bildschirmfoto 2017-08-24 um 09.31.31.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.31.31.png_thumb)


  • Netgate

    Right.

    I am trying to figure out how you can ping sourced from 10.2.81.1 to 10.2.82.1.

    Is 10.2.81.1 a local address on the firewall? If it is just a binat network you should not be able to ping sourced from that.



  • Ok, it is working now!

    My initial config was correct, but an old bug form pfsense (2015) came into my way:

    https://redmine.pfsense.org/issues/5319

    Charon didn't restart correctly and i had to kill it manually. After that, he reloaded the config correct and it is working now. So the problem was that Charon didn't restart / reload the config :/

    Thanks for your help anyway