No traffic in IPsec site-to-site tunnel
I have set up an IPsec site-to-site VPN using pfSense 2.4.5-p1 on my site and an unknown product on the customer site. Both phase #1 and #2 tunnels can be established, but neither pinging nor telnet checks to the remote subnet test host work. Remote IT staff made sure that the telnet and ping test connections work on their site.
I am quite sure that regarding the tunnel configuration everything has been set up correctly and I assume that sth. on my site is missing regarding NAT stuff. Anyway I will give a detailed overview about all configurations. Please ask for additionally required config details:
- Topology; basic functionality
- The pfsense is connected directly to the internet modem, the public IP is static: 22.214.171.124
- ISP's gateway address is 126.96.36.199
- There is one LAN configured on the pfSense: 192.168.6.0/23
- pfSense's LAN IP is 192.168.6.1
- There is one LAN test client with IP address 192.168.6.252/23. It is directly connected to the pfSense's LAN adapter
- Browsing the web on the client works flawlessly.
- General setup
- DNS server is public DNS 188.8.131.52
- Routing / Gateway
- The WANGW is the default gateway. I read here https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html that no additional routing configuration will be necessary if the default gateway is the same as the IPsec tunnel endpoint. So routing configuration shouldn't be an issue, should it?
- No static routes have been created, because: see above.
- NAT stuff
- No port forwarding has been created
- No 1:1 mapping has been created
- Outbound mode hasn't been changed: Setting is "Automatic outbound NAT"
- No NPt has been created
- Related to NAT stuff: No Virtual IPs have been defined.
- Firewall rules
- Test rule on LAN interface: All connections allowed (any port/protocol from any source to any destination)
- Test rule on WAN interface: All connections allowed (any port/protocol from any source to any destination)
- Test rule on IPsec interface: All connections allowed (any port/protocol from any source to any destination)
- Phase #1 configuration:
- Key Exchange version: IKEv2
- Internet Protocol: IPv4
- Interface: WAN
- Remote Gateway: 245.235.245.13
- Authentication Method: Mutual PSK
- My Identifier: My IP address
- Peer Identifier: Peer IP address
- Encryption Algorithm: AES 256bits SHA512 DH 14
- Lifetime: 28800sec
- Disable rekey: unchecked
- Margintime: blank
- Disable Reauth: unchecked
- Responder only: unchecked
- Child SA Close Action: Default
- NAT Traversal: Auto
- MOBIKE: Disable
- Split connections: checked
- Dead Peer Detection: checked
- Delay: 10
- Max failures: 5
- Phase #2 configuration (there are six more phase #2 configurations but apart from the remote subnets the settings are identical).
- Mode: Tunnel IPv4
- Local Network: Address 184.108.40.206 (YES, the remote site's administrator told me to use my pfSense's public IP address also as my local network).
- NAT/BINAT translation: Address 220.127.116.11
- Remote Network: 18.104.22.168/8 (YES, the remote partner uses public IP addresses within their subnets)
- Protocol: ESP
- Encryption Algorithms: AES 256bits SHA512 PFS key group 14
- Lifetime: 3600
Thank you for your replies!
Regarding the NAT/BINAT configuration in the phase #2 I found this one:
I think this is what matches my case:
NAT - Overload/PAT Style If the Local Network is a subnet, but the NAT/BINAT Translation address is set to a single IP address, then a 1:many NAT (PAT) translation is set up that works like an outbound NAT rule on WAN. All outbound traffic will be translated from the local network to the single IP address in the NAT field.
I think that my phase #2 configuration I posted above is clearly non-sense, isn't it? I'm talking about the translation configuration:
Local Network: Address 22.214.171.124 NAT/BINAT translation: Address 126.96.36.199
To me it would be logical to configure it this way:
Local Network: Network LAN subnet NAT/BINAT translation: Address 188.8.131.52
Reconfigured it accordingly, but still no traffic. Leaves the previous question: Do I have to configure additional NAT settings apart from the phase #2 NAT/BINAT configuration?
What is more: I found this one https://forum.netgate.com/topic/140873/solved-inbound-traffic-with-nat-binat-translation-via-ipsec where it is claimed that not the site using a single IP address but the partner site has to configure NAT/BINAT settings. Now I'm rather confused.