ipsec tunnel with nat at 1 site



  • Hello,
    I have the following issue with a Site-to-Site VPN Tunnel
    2 sites have hardware based PfSense boxes with version 2.4.4 (up-to-date)
    Site A:
    WAN IP: 10.0.0.2 (between modem and WANport of Pfsense is a router/firewall from the ISP; which does int static NAT 10.0.0.2 and has IP 10.0.0.1 at it's LANport)
    LAN IP 1: 192.168.10.14 (for LAN) - with DHCP (192.168.10.2 - 192.168.10.254) named LAN
    LAN IP 2: 192.168.11.14 (for voice) - no DHCP; done by another device (PBX)- named VOICE
    Site B:
    WAN IP: xxx.xxx.xxx.xxx (direct IP from modem)
    LAN IP: 192.168.50.14 (for LAN) - with DHCP (192.168.50.16 - 192.168.50.59) - named LAN
    LAN IP 2: 192.168.51.14 (for VOICE) - with DHCP (192.168.51.50 - 192.168.51.149) - named VOICE


    IPSEC SETTTINGS


    Site A
    Phase 1
    Ike V2
    IPv4
    Interface WAN
    Remote Gateway: WAN IP of Pfsense WAN port (directly on modem)
    P1 Protocol AES256-GCM (128 bits)
    P1 Transform SHA512
    P1 DH-Group: 16 (4096)
    Mutual PSK set and checked
    My Identifier: IP address: manually set to WAN IP of Router/Firewall of ISP site B
    Peer Identifier: IP address: manually set to WAN IP of PFsense WAN port
    DPD enabled
    Phase 2
    Mode tunnel
    Local network | type: network | address: 192.168.11.0/23
    NAT/BINAT translation | type: address | address: 10.0.0.2
    Remote network | type: network | address: 192.168.51.0/23
    P2 Protocol ESP
    P2 Transforms AES256-CGM (128 bits)
    P2 Auth SHA256


    Site B
    Phase 1
    Ike V2
    IPv4
    Interface WAN
    Remote Gateway: WAN IP of Router/Firewall of ISP
    P1 Protocol AES256-GCM (128 bits)
    P1 Transform SHA512
    P1 DH-Group: 16 (4096)
    Mutual PSK set and checked
    My Identifier: My IP address
    Peer Identifier: Peer IP address
    DPD enabled
    Phase 2
    Mode tunnel
    Local network | type: network | address: 192.168.51.0/23
    NAT/BINAT translation | none
    Remote network | type: network | address: 192.168.11.0/23
    P2 Protocol ESP
    P2 Transforms AES256-CGM (128 bits)
    P2 Auth SHA256



    In the IPsec overview I see
    con2000: #4 brandytoflex WANIP-SITEB WANIP-SITEB WANIP-ATISPMODEM-SITEA WANIP-ATISPMODEM-SITEA NAT-T IKEv2
    initiator 23970 seconds (06:39:30) AES_GCM_16 PRF_HMAC_SHA2_512 MODP_4096 ESTABLISHED 3518 seconds (00:58:38) ago
    In the firewall I made a rule on the IP sec page
    To allow any traffic from any source at any port going to any destination on any gateway
    BUT; when I try to ping from a computer in the network of Site A to a server in the network of Site B; the package is lost; however I see in the logs of the pfsense in the IPsec page:
    14[NET] <con2000|4> received packet: from WANIP-ATISPMODEM-SITEA[4500] to WANIP-SITEB[4500] (57 bytes)
    14[NET] <con2000|4> sending packet: from WANIP-SITEB[4500] to WANIP-ATISPMODEM-SITEA[4500] (57 bytes)


    THE Question:
    What am I doing wrong; because now there is no traffic possible (no ping, no voice, anything) between site A and B


  • Netgate

    @godfried84 said in ipsec tunnel with nat at 1 site:

    Site A
    Phase 1
    My Identifier: IP address: manually set to WAN IP of Router/Firewall of ISP site B

    Why would you set my identifier to be the IP address of the other side?