Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec NAT question

    IPsec
    1
    1
    186
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SilkBC last edited by

      Hello,

      We are trying to get an IPSec tunnel working where the other side uses NAT.  The tunnel currently works on a CIsco ASA at a different location, but we are using pfSense at a new location.  We can get the tunnel itself (Phase 1) connected, but just can't pass traffic between the servers behind the tunnel (Phase 2).

      Here is the config from the Cisco ASA, for reference:

      
TUNNEL SETTINGS:
Local network: 10.1.204.0/24
Remote Network: 172.20.1.154/32

NAT SETTINGS (aliases show translated IPs in brackets for reference):
Source Interface: inside
Source Address: VTC_LAN (10.1.204.0/24)
Destination Interface: Outside
Destinaton Address: FHA_Domain (172.20.1.154)
Source Address: FHA_LOCAL_Domain (172.21.4.97)

      On the pfSense, I have the following values (Phase 2):

      
Local Network: 10.1.2.0/24
Remote Network: 172.20.1.154/32 (we are only accessing a single server)

      On their side (their own ASA), they have:

      
Local network: 172.20.1.154/32
Remote Network: 172.21.4.64 (their NAT IP for this particular tunnel)

      (Their settings for the tunnel that connects to my client's ASA are the same, except the "Remote Network" is '172.21.4.97'; they wanted to make sure the current tunnel is active until we get things working with the new one).  I have verified that the Phase 2 encryption settings match on both sides (based on what they have told me).

      On the pfSense, I created an Outbound NAT rule with the following settings:

      
Interface: LAN (10.1.2.1)
Source: Network -> 10.1.2.0/24
Destination: Network -> 172.20.1.154/32
Address: Other Subnet -> 172.21.4.64/32

      I saved and applied the settings, I have restarted the tunnel, and have even restarted the whole pfSense, but while the Phase 1 connects, the Phase 2 is still and issue: I am unable to from a server on the 10.1.2.0/24 network to '172.20.1.154' (I can of course ping from the '10.1.202.0/24' netowrk behind the ASA to '172.20.1.154')

      I am wondering if I missed something, or is it possible that the other side, having those two NAT IPs, is messing something up with the routing?  Maybe the packets from 10.1.2.0/24 are reaching '172.20.1.154', but the return path is trying to go back over the '172.21.4.97' gateway?  I have a continuous ping going and have asked the tech on the other side to see if they see any packets coming from me, but they have not yet replied.

      I just wanted to post my config here to see if there is anything obvious (to you) that I might have missed?

      Thanks for you insight! :-)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense Plus
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy