1:1 Nat over IPSec - no networks found



  • 10.0.0.175 (1:1Nat) 10.17.2.6
    10.0.0.176 (1:1Nat) 10.17.2.5
    My network is 10.0.0.0/24
    Pfsense firewall

    —established IPSec VPN —

    CiscoASA
    10.3.0.5 (1:1Nat) 10.17.2.6
    10.3.0.6 (1:1Nat) 10.17.2.6
    Remote network is 10.3.0.0/24

    All IPSec firewall rules on my end are any any for testing

    Outbound nat is working setup by default. 10.0.0.175 and 10.0.0.176 are using the pfsense LAN as gateway and have internet access.

    Problem

    Although the IPSec tunnel is connected and the logs look clean with no errors, pfsense on my end cannot ping or see any hosts on the other side.

    Test

    Ping from 10.0.0.175 to 10.17.1.5
    TCPdump looking at icmp shows pings going out the internet and timing out. Doesn’t look like it’s using the tunnel. Seems obvious to me since there’s no routing to 10.17.1.5 which is my next point

    I’ve setup IPSec tunnels between two Cisco devices and either a routing protocol or static routes were needed otherwise the gateway doesn’t know where it is..

    I checked the routing table on the pfsense and it doesn’t show anything about the remote network of 10.17.1.0 which makes sense why the pings are heading to the moon.

    Tried setting up a static route but the only options are lan and wan, which obviously isn’t the answer, so it thought I’d make a gateway on the other side of the tunnel for destination networks, but basically routing is pointless when the gateway (my pfsense) can’t even see the networks anyway.

    I’m missing something and it seems silly. I can send config pics or logs as needed. Any help is appreciated. Thanks



  • Figured it out! It was a mixup on the ip's configured in the Phase 2 network settings, when using the BiNat feature.