NAT still broken on IPSEC VTI?

  • Re: IPSEC VTI Tunnels

    My new pfSense deployment has a requirement for NAT on an IPsec VTI and form everything I am searching/reading, this is still a no go. The left/right patch has been implemented in stable release so that is good.

    I need to NAT to a single IP and I have tried to set it to the Local Subnet field because it is stated that NAT works to interface address. However, I am still failing to get traffic back to the LAN.

    It has been over 2 years from most of the posts I have read about this. Is there any new information or workarounds?

    @jimp Do you know if this is fixed in FreeBSD 12?

    I think I am out of options here. This is the one thing holding me back from being able to switch from EdgeRouter where things have been working in production for years.

    Thanks for any help.

  • Rebel Alliance Developer Netgate

    It's still broken in FreeBSD, last I tried it, even on FreeBSD 12.x.

  • Thanks for the quick reply @jimp . I guess I can stop looking for native solutions. I was thinking about trying 2.5.0 builds and/or the newly released opnsense 20.7 but, it looks like another dead end.

    I will be trying to see if the other end (fortigate) can NAT me instead.

    I was also thinking about using VyOS behind pfSense just for the VTI. Do you have any thoughts on this? I am sure I can get the VTI/NAT config working as it should be almost 1:1 port from my EdgeRouter. However, I am not sure about getting everything routed with it being behind pfSense and I'm worried this will eat up too many hours of my time. I could really use some type of example/guide with a s2s vpn appliance behind pfsense.


  • @jimp , Since you pointed me to FreeBSD, I went over to their forum to post about this. They were surprised at my bug and stated it was working. Later they figured out it was specific to pfSense implementation. Please see post here:(

    They provided a workaround with the following commands:
    sysctl net.enc.out.ipsec_filter_mask:0

    sysctl net.inet.ipsec.filtertunnel:1
    sysctl net.inet6.ipsec6.filtertunnel:1

    I have successfully tested this in my scenario. The only problem is that it breaks Policy-Based VPN. Unfortunately I have another connection which is now broken so I have more rabbit holes to explore.

    Jimp, is there a possibility of adding this to pfS now? Most other products support this and we are required to have NAT/IPsec by one of the largest ISPs in the world.


  • Rebel Alliance Developer Netgate

    We're aware of that workaround, but if it breaks policy-based VPNs it's not a viable workaround since both must coexist.

    It's not specific to pfSense, but to the case where you need both at once.

  • Is this being worked on or even looked into? To me this is a major flaw and a complete show stopper. My plan was to switch from EdgeRouter to pfS but if industry standard IPsec features are not working in my testing, I cannot purchase Netgate hardware for our offices.

    Would you be able to point me in the direction of how to use a pfS as VPN only behind a pfS main router? I wouldn't mind setting up dedicated pfS boxes for just the VTI tunnels.

    Thanks for the help.

  • Rebel Alliance Developer Netgate

    It's still a problem in FreeBSD, not pfSense.

    We can try looking into it eventually, as we do employ several FreeBSD developers, but there is no ETA on when we may be able to dedicate resources to that.

    I don't know that we have any tutorials for a dedicated VPN router behind another firewall in the docs. It's been discussed on the forum before, search around a bit and you'll probably find it. Mostly it's about (a) routing traffic for the VPN destination to the other router, and (b) ensuring that VPN router can connect its VPN. Works best if the dedicated router is hanging off another interface without other clients/servers (like a dedicated "WAN" through which VPN traffic will be routed). You can also easily do NAT/filtering at that point if you like.

  • @jimp

    But does outbound NAT to the IPsec interface address work without any problems? It's not working for me.