Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC with outbound NAT + 1:1 NAT

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 343 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tiski
      last edited by

      I have 2 sites (with pfsense) connected via an ipsec tunnel:
      Tunnel works fine without SNAT/DNAT, but "shit" happens when i configure SNAT /
      DNAT.

      Site 1:
      Machine 1: 172.20.74.31
      GW 1 (Pfsense)

      Site 2:
      GW2 Pfense has notably an interface 10.45.226.1
      Machine 2 : 10.45.226.3

      From Machine 1, to ping Machine 2 on this interface, i ping 10.100.45.2

      I use DNAT
      1:1 NAT to translate 10.100.45.2 to 10.45.226.3
      b1396fe6-c9b9-4b59-989c-482011774527-image.png

      I use SNAT (outbound NAT) to translate 172.20.0.0/16 to GW Interace on the right lan.

      What happens :

      Packets get routed from Machine 1 to Machine 2, i can see them, and i can see Machine 2 reply. (with tcpdump)
      If i packet capture on GW 2 :

      Ipsec Interface :

      • I see the echo request from 172.20.74.31 to 10.100.45.2

      LAN interface:

      • I see the echo request AND the reply from GW1 Iface to 10.45.226.3

      WAN Interface (which should do .... with my setup) :

      • I see the reply from 10.100.45.2 to 172.20.74.31

      Why does my reply packets go through WAN interface instead of using the normal route.

      • WAN is indeed setup as default GW, but i assume it knows from phase2/enc domain to define a correct return route ? no ?
      • I don't have any static rules.
      • I ve set the FW in allow all by default.

      Any clues ?

      1 Reply Last reply Reply Quote 0
      • T
        Tiski
        last edited by

        Few complements (i haven't have solved the issue)
        I see the following states

        vtnet4 icmp 10.45.226.1:15026 (172.20.74.31:47548) -> 10.45.226.3:15026 0:0
        enc0 icmp 10.45.226.3:47548 (10.100.45.2:47548) <- 172.20.74.31:47548 0:0

        where enc0 is ipsec i assume
        and vtnet4 is the LAN interface.

        This issue is driving me mad, i can provide schemes, and answer to anyone willing to help.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.