Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT over routed VTI

    Scheduled Pinned Locked Moved IPsec
    ipsecnat
    7 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      under_tow
      last edited by

      Hello

      I am having similar issue, to this post below with no responses, have this working with other router vendors, JunOS, iOS, etc.:
      https://forum.netgate.com/topic/143038/alternate-address-nat-for-ipsec-vti

      I am trying outbound NATing to the VTI address, some more info:

      Side A, Openswan:
      Public: 1.1.1.1
      LAN: 10.6.0.0/24

      Side B pfSense:
      Public: 2.2.2.2
      LAN: 192.168.1.0/24
      vti local: 10.6.0.2/24
      vti remote: 10.6.0.1/24

      IPSEC SA phase1/2 come up with no issues, vti interfaces can ping each other, but I cannot get traffic from pfsense LAN 192.168.1.0/24 to NAT to vti interface 10.6.0.2 and go over the tunnel. Tried outbound NAT, different firewall rules, have not added any routes, as that should not be necessary. Long story but the setup requires the private LANs NAT to the VTI interface, to connect to device on the remote side.

      Any ideas? Has anyone got NAT working on VTI?

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Based on what you are posting, the VTI addresses should be distinct from the Side A LAN and over those you should route to 10.6.0.0/24.

        At a minimum I would expect you would need a route for 10.6.0.0/24 to 10.6.0.1.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • U
          under_tow
          last edited by

          Just an update, appears that the outbound NAT with routed VTI interface is working properly to get NAT'd packets to the remote side(confirmed with tcpdump), but the return packets seem to be dropped by hidden unlabelled default deny pfSense firewall rules(don't appear in the GUI). So I suspect that additional iptables config will be necessary, or more development on the build.

          G 1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            well since pfSense does not use iptables I don't know what you're referring to in this context.

            packet capture at each hop and determine where the breakdown is.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            U 1 Reply Last reply Reply Quote 0
            • G
              gabacho4 Rebel Alliance @under_tow
              last edited by

              @under_tow I reported this back in March. https://forum.netgate.com/topic/141613/can-i-route-internet-traffic-from-site-b-through-site-a-via-ipsec-vti

              Unfortunately no resolution that I'm aware of.

              U 1 Reply Last reply Reply Quote 1
              • U
                under_tow @Derelict
                last edited by

                @Derelict Is there a way to look at the firewall rules from cli and add/delete/edited them, not very familiar with pfSense, so just assumed it was iptables.

                Thanks

                @Derelict said in NAT over routed VTI:

                well since pfSense does not use iptables I don't know what you're referring to in this context.

                packet capture at each hop and determine where the breakdown is.

                1 Reply Last reply Reply Quote 0
                • U
                  under_tow @gabacho4
                  last edited by

                  @ngoehring123 said in NAT over routed VTI:

                  @under_tow I reported this back in March. https://forum.netgate.com/topic/141613/can-i-route-internet-traffic-from-site-b-through-site-a-via-ipsec-vti

                  Unfortunately no resolution that I'm aware of.

                  Thanks, similar issues, GRE over IPSEC could work, but too many changes in our application for that for now.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.