Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    P2 NAT/BINAT not translating

    IPsec
    2
    7
    196
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Danb last edited by

      Hello,
      I have what seems like a simple NAT setup for a P2 IPSec tunnel but it is not translating. The tunnel is up and the far end, a Cisco, is seeing the original source address not the expected NAT address. I am running 2.4.3-RELEASE-p1 (amd64) as an AWS instance. The P2 setup is as follows: Tunnel IPv4, local network is 10.0.11.0/24, NAT/BINAT trans is 192.168.171.1, Remote network is 10.1.20.0/24. The remote side is seeing traffic from 10.0.11.30/32 instead of the 192.168.171.1 address. The firewall service is disabled and no NAT is configured. A tcpdump shows the unaltered source address but I believe that is expected.

      Sample traffic from tcpdump.
      10:27:15.770886 IP 10.0.11.30.38180 > 10.1.20.227.16718: Flags [S], seq 1874224633, win 26883, options [mss 8961,sackOK,TS val 3261811242 ecr 0,nop,wscale 7], length 0

      Any ideas why this is not working as expected?

      Thanks

      1 Reply Last reply Reply Quote 0
      • D
        Danb last edited by

        SPDs
        Source Destination Direction Protocol Tunnel Endpoints
        10.0.11.0/24 10.1.20.0/24 ► Outbound ESP 10.0.1.144 -> xx.60.84.3
        10.1.20.0/24 192.168.171.1 ◄ Inbound ESP xx.60.84.3 -> 10.0.1.144

        1 Reply Last reply Reply Quote 0
        • D
          Danb last edited by Danb

          I have narrowed the Local network and the NAT address to be just /32 addresses and still not working.

          Connections:
                  con2:  10.0.1.144...xx.60.84.3  IKEv2, dpddelay=10s
                  con2:   local:  [xx.27.114.190] uses pre-shared key authentication
                  con2:   remote: [xx.60.84.3] uses pre-shared key authentication
                  con2:   child:  192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0 TUNNEL, dpdaction=restart
          Routed Connections:
                  con2{11}:  ROUTED, TUNNEL, reqid 2
                  con2{11}:   192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0
          Security Associations (2 up, 0 connecting):
          
                  con2[5]: ESTABLISHED 6 minutes ago, 10.0.1.144[xx.27.114.190]...xx.60.84.3[xx.60.84.3]
                  con2[5]: IKEv2 SPIs: 9973215998ae1d2c_i* 81fce56a6da1e126_r, rekeying disabled
                  con2[5]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
                  con2{9}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c37f8035_i 4b82b490_o
                  con2{9}:  AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i (0 pkts, 396s ago), 2380 bytes_o (17 pkts, 0s ago), rekeying disabled
                  con2{9}:   192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0
          
          
          
          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            The firewall service is disabled and no NAT is configured.

            What, exactly, does this mean?

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              Danb last edited by

              In System, Advanced, Firewall & NAT, - Disable Firewall is selected, turning the device into a routing VPN device.
              In Firewall, NAT there are not any NAT definitions for any of the 4 sections other than the autocreated ones for ISAKMP.

              The only NAT is the NAT/BINAT setup in the IPSec tunnel config.

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                OK. That NAT is still done using pf. Disabling that will disable IPsec NAT too just like that warning states.

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 1
                • D
                  Danb last edited by

                  Thank you that resolved it. I didn't realize the IPSec NAT and the firewall NAT were the same. Thanks again.

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post