Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec NAT/BINAT not working

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      discostur
      last edited by

      Hi,

      my setup is the following:

      Site A:
      Lan: 192.168.100.0/24
      Lan_IP: 192.168.100.1
      Transfer: 10.2.81.0/24
      Transfer_IP: 10.2.81.1

      Site B:
      Lan: 10.2.82.0/24
      Lan_IP: 19.2.82.1

      I'm doing a site-to-site IPsec wich is working. I can ping from both routers (pfsense, juniper) to each other (10.2.81.1 <-> 10.2.82.1) but not from the clients in my LAN (192.168.68.x <-> 10.2.82.x). I'm now trying to setup a Transfer-Net with NAT / BINAT routing:

      Site B should reach the clients on site A via an 10.2.81.x ip-address and not via an 192.168.100.x ip-address. So i want to map 10.2.81.0/24 <-> 192.168.100.0/24.

      First i tried to do this via the NAT/BINAT setting inside the IPsec settings:

      Site A IPsec Phase2

      Local Network: 192.168.100.0/24
      NAT/BINAT translation: 10.2.81.0/24
      Remote Network: 10.2.82.0/24

      That didn't work and i tried the same thing with 1:1 NAT from the Firewall tab:

      Site A

      External subnet IP 10.2.81.0
      Internal IP: 192.168.100.0/24
      Destiantion: 10.2.82.0/24

      No matter which mapping i choose, if i try to ping from 192.168.100.x to 10.2.82.x, pfsense routes the request through the WAN interface instead of the IPsec / Transfer-Net Interface. How can i tell pfsense to route the traffic from my Lan through the IPsec tunnel and do the NAT?

      Thanks
      Greets
      Kilian

      1 Reply Last reply Reply Quote 0
      • D
        discostur
        last edited by

        I've done a litte more testing:

        ICMP from 192.168.100.21 (Site A) -> 10.2.82.20 (Site B)

        pcap from pfsense Site A LAN Interface

        
        10:02:59.789013 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 3085, seq 61312, length 44
        10:02:59.789848 IP 85.236.56.242 > 192.168.100.21: ICMP time exceeded in-transit, length 72
        10:02:59.889335 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 3085, seq 61568, length 44
        10:02:59.904306 IP 85.236.32.141 > 192.168.100.21: ICMP time exceeded in-transit, length 36
        10:02:59.989592 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 3085, seq 61824, length 44
        10:02:59.990534 IP 85.236.56.243 > 192.168.100.21: ICMP time exceeded in-transit, length 72
        
        

        So Traffic is going out trough WAN Interface on the pfsense site. The IPs 85.236.56.24x are from my upstream router.
        Traceroute from Lan shows me more than 10 hops with lots of different public IPs.

        That looks for me like when packets aren't getting to the remote site.

        Next, i setup a static route for the network 10.2.82.0/24 with gateway 10.2.81.1 on Site A:

        Site B 10.2.82.0/24 <- GW Site A 10.2.81.1 <- LAN Site A 192.168.100.0/24

        pcap from pfsense Site A LAN Interface

        
        10:23:02.078077 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 13593, seq 7306, length 44
        10:23:02.078088 IP 192.168.100.1 > 192.168.100.21: ICMP host 10.2.82.20 unreachable, length 36
        10:23:02.203420 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 13593, seq 7562, length 44
        10:23:02.203432 IP 192.168.100.1 > 192.168.100.21: ICMP host 10.2.82.20 unreachable, length 36
        10:23:02.328836 IP 192.168.100.21 > 10.2.82.20: ICMP echo request, id 13593, seq 7818, length 44
        10:23:02.328862 IP 192.168.100.1 > 192.168.100.21: ICMP host 10.2.82.20 unreachable, length 36
        
        

        I can see the ICMP on the Lan Interface and the response from pfsense Lan GW on Site A that the host is unreachable. Nothing to see on the IPsec interface … looks like traffic isn't routed correct?
        Traceroute from Lan shows me only one hop (pfsense GW).

        However, if i do a ICMP from my pfsense directly (not from a host in my Lan) i can see packets on the IPsec Interface:

        pcap from pfsense Site A IPsec Interface

        
        10:25:37.963386 (authentic,confidential): SPI 0x0bd8d6c6: IP 10.2.81.1 > 10.2.82.20: ICMP echo request, id 24572, seq 2, length 64
        10:25:37.967593 (authentic,confidential): SPI 0xc95b13d7: IP 10.2.82.20 > 10.2.81.1: ICMP echo reply, id 24572, seq 2, length 64
        10:25:38.967416 (authentic,confidential): SPI 0x0bd8d6c6: IP 10.2.81.1 > 10.2.82.20: ICMP echo request, id 24572, seq 3, length 64
        10:25:38.971650 (authentic,confidential): SPI 0xc95b13d7: IP 10.2.82.20 > 10.2.81.1: ICMP echo reply, id 24572, seq 3, length 64
        10:25:39.971444 (authentic,confidential): SPI 0x0bd8d6c6: IP 10.2.81.1 > 10.2.82.20: ICMP echo request, id 24572, seq 4, length 64
        10:25:39.975658 (authentic,confidential): SPI 0xc95b13d7: IP 10.2.82.20 > 10.2.81.1: ICMP echo reply, id 24572, seq 4, length 64
        
        

        So if i try to ping from my pfsense directly the route works and traffic is passed through IPsec. If i try from my Lan, i can see ICMP packets on the Lan interface but not on the IPsec interface …

        1 Reply Last reply Reply Quote 0
        • D
          discostur
          last edited by

          I tried many different things … for simplicity i reverted back to the original settings. For better understanding i added some screenshots from my basic settings.

          ![Bildschirmfoto 2017-08-24 um 09.32.21.png](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.32.21.png)
          ![Bildschirmfoto 2017-08-24 um 09.32.21.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.32.21.png_thumb)
          ![Bildschirmfoto 2017-08-24 um 09.32.05.png](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.32.05.png)
          ![Bildschirmfoto 2017-08-24 um 09.32.05.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.32.05.png_thumb)
          ![Bildschirmfoto 2017-08-24 um 09.31.31.png](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.31.31.png)
          ![Bildschirmfoto 2017-08-24 um 09.31.31.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2017-08-24 um 09.31.31.png_thumb)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Right.

            I am trying to figure out how you can ping sourced from 10.2.81.1 to 10.2.82.1.

            Is 10.2.81.1 a local address on the firewall? If it is just a binat network you should not be able to ping sourced from that.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              discostur
              last edited by

              Ok, it is working now!

              My initial config was correct, but an old bug form pfsense (2015) came into my way:

              https://redmine.pfsense.org/issues/5319

              Charon didn't restart correctly and i had to kill it manually. After that, he reloaded the config correct and it is working now. So the problem was that Charon didn't restart / reload the config :/

              Thanks for your help anyway

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.