4. IPSec NAT question

IPSec NAT question

  • S

    Hello,

    We are trying to get an IPSec tunnel working where the other side uses NAT.  The tunnel currently works on a CIsco ASA at a different location, but we are using pfSense at a new location.  We can get the tunnel itself (Phase 1) connected, but just can't pass traffic between the servers behind the tunnel (Phase 2).

    Here is the config from the Cisco ASA, for reference:

    
TUNNEL SETTINGS:
Local network: 10.1.204.0/24
Remote Network: 172.20.1.154/32

NAT SETTINGS (aliases show translated IPs in brackets for reference):
Source Interface: inside
Source Address: VTC_LAN (10.1.204.0/24)
Destination Interface: Outside
Destinaton Address: FHA_Domain (172.20.1.154)
Source Address: FHA_LOCAL_Domain (172.21.4.97)

    On the pfSense, I have the following values (Phase 2):

    
Local Network: 10.1.2.0/24
Remote Network: 172.20.1.154/32 (we are only accessing a single server)

    On their side (their own ASA), they have:

    
Local network: 172.20.1.154/32
Remote Network: 172.21.4.64 (their NAT IP for this particular tunnel)

    (Their settings for the tunnel that connects to my client's ASA are the same, except the "Remote Network" is '172.21.4.97'; they wanted to make sure the current tunnel is active until we get things working with the new one).  I have verified that the Phase 2 encryption settings match on both sides (based on what they have told me).

    On the pfSense, I created an Outbound NAT rule with the following settings:

    
Interface: LAN (10.1.2.1)
Source: Network -> 10.1.2.0/24
Destination: Network -> 172.20.1.154/32
Address: Other Subnet -> 172.21.4.64/32

    I saved and applied the settings, I have restarted the tunnel, and have even restarted the whole pfSense, but while the Phase 1 connects, the Phase 2 is still and issue: I am unable to from a server on the 10.1.2.0/24 network to '172.20.1.154' (I can of course ping from the '10.1.202.0/24' netowrk behind the ASA to '172.20.1.154')

    I am wondering if I missed something, or is it possible that the other side, having those two NAT IPs, is messing something up with the routing?  Maybe the packets from 10.1.2.0/24 are reaching '172.20.1.154', but the return path is trying to go back over the '172.21.4.97' gateway?  I have a continuous ping going and have asked the tech on the other side to see if they see any packets coming from me, but they have not yet replied.

    I just wanted to post my config here to see if there is anything obvious (to you) that I might have missed?

    Thanks for you insight! :-)

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy