4. NAT Before IPSEC Issue

NAT Before IPSEC Issue

  • E

    I have a pfsense box setup in azure that I use as an ipsec termination box. It has an active ipsec tunnel that, when on the pfsense cli, can reach all of the services on the other end of the tunnel. The problem lies with the inbound traffic from the "WAN" interface (labeled AZURE in the diagram). There is an outbound nat on the LAN so that any traffic destined for the tunnel network on the remote end, get's NATd's to the LANs interface IP. In the below screen cap of the states, you can see the external connection come in, get translated, traverse the tunnel, and get replies but the replies don't go back across the existing nat.

    States during test:
    8ca25e37-7aa9-d43fc-b567-3ebd29471236-image.png

    Source: 10.8.2.254
    Destination: 192.94.107.32

    Network diag:
    f46c97f6-7a1c-4de7-ab87-698b9da8320a-image.png

    I have tried a packet capture on the 3 interfaces. I see the requests and replys on the ipsec interface as the state table indicates. I see the pings coming in on the AZURE interface and no replys but what is really peculiars is that with no filters, there are 0 packets on the LAN interface. There is nothing in the firewalls indicating and blocks and both ipsec and LAN interfaces have allow IPv4 any/any.

    Something seems to be blocking the response from responding symmetrically on the already existing states once it leaves the ipsec interface. Any thoughts?

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy