IPSec NAT question



  • Hello,

    We are trying to get an IPSec tunnel working where the other side uses NAT.  The tunnel currently works on a CIsco ASA at a different location, but we are using pfSense at a new location.  We can get the tunnel itself (Phase 1) connected, but just can't pass traffic between the servers behind the tunnel (Phase 2).

    Here is the config from the Cisco ASA, for reference:

    
    TUNNEL SETTINGS:
    Local network: 10.1.204.0/24
    Remote Network: 172.20.1.154/32
    
    NAT SETTINGS (aliases show translated IPs in brackets for reference):
    Source Interface: inside
    Source Address: VTC_LAN (10.1.204.0/24)
    Destination Interface: Outside
    Destinaton Address: FHA_Domain (172.20.1.154)
    Source Address: FHA_LOCAL_Domain (172.21.4.97)
    
    

    On the pfSense, I have the following values (Phase 2):

    
    Local Network: 10.1.2.0/24
    Remote Network: 172.20.1.154/32 (we are only accessing a single server)
    
    

    On their side (their own ASA), they have:

    
    Local network: 172.20.1.154/32
    Remote Network: 172.21.4.64 (their NAT IP for this particular tunnel)
    
    

    (Their settings for the tunnel that connects to my client's ASA are the same, except the "Remote Network" is '172.21.4.97'; they wanted to make sure the current tunnel is active until we get things working with the new one).  I have verified that the Phase 2 encryption settings match on both sides (based on what they have told me).

    On the pfSense, I created an Outbound NAT rule with the following settings:

    
    Interface: LAN (10.1.2.1)
    Source: Network -> 10.1.2.0/24
    Destination: Network -> 172.20.1.154/32
    Address: Other Subnet -> 172.21.4.64/32
    
    

    I saved and applied the settings, I have restarted the tunnel, and have even restarted the whole pfSense, but while the Phase 1 connects, the Phase 2 is still and issue: I am unable to from a server on the 10.1.2.0/24 network to '172.20.1.154' (I can of course ping from the '10.1.202.0/24' netowrk behind the ASA to '172.20.1.154')

    I am wondering if I missed something, or is it possible that the other side, having those two NAT IPs, is messing something up with the routing?  Maybe the packets from 10.1.2.0/24 are reaching '172.20.1.154', but the return path is trying to go back over the '172.21.4.97' gateway?  I have a continuous ping going and have asked the tech on the other side to see if they see any packets coming from me, but they have not yet replied.

    I just wanted to post my config here to see if there is anything obvious (to you) that I might have missed?

    Thanks for you insight! :-)


Log in to reply