IPSEC with outbound NAT + 1:1 NAT

  • I have 2 sites (with pfsense) connected via an ipsec tunnel:
    Tunnel works fine without SNAT/DNAT, but "shit" happens when i configure SNAT /

    Site 1:
    Machine 1:
    GW 1 (Pfsense)

    Site 2:
    GW2 Pfense has notably an interface
    Machine 2 :

    From Machine 1, to ping Machine 2 on this interface, i ping

    I use DNAT
    1:1 NAT to translate to

    I use SNAT (outbound NAT) to translate to GW Interace on the right lan.

    What happens :

    Packets get routed from Machine 1 to Machine 2, i can see them, and i can see Machine 2 reply. (with tcpdump)
    If i packet capture on GW 2 :

    Ipsec Interface :

    • I see the echo request from to

    LAN interface:

    • I see the echo request AND the reply from GW1 Iface to

    WAN Interface (which should do .... with my setup) :

    • I see the reply from to

    Why does my reply packets go through WAN interface instead of using the normal route.

    • WAN is indeed setup as default GW, but i assume it knows from phase2/enc domain to define a correct return route ? no ?
    • I don't have any static rules.
    • I ve set the FW in allow all by default.

    Any clues ?

  • Few complements (i haven't have solved the issue)
    I see the following states

    vtnet4 icmp ( -> 0:0
    enc0 icmp ( <- 0:0

    where enc0 is ipsec i assume
    and vtnet4 is the LAN interface.

    This issue is driving me mad, i can provide schemes, and answer to anyone willing to help.

Log in to reply