Returning IPSec traffic and NAT
-
Hi there,
I have configured Site-to-Site (S2S) IPSec between two pfSenses. I'm using the NAT option during the IPSec Phase 2 option on both sides. The Tunnel is UP. When I try to Ping from client A to client B, on B's pfSense I can see the ICMP packets (Packet Capture with IPSec interface).
10.100.1.100 (Client A)
10.200.1.1 (Client B) = This is the NAT adres of Webserver and it's actual IP address is 10.10.10.104.23:21:21.366303 (authentic,confidential): SPI 0xc39392e6: IP 10.100.1.100 > 10.200.1.1: ICMP echo request, id 24034, seq 3651, length 64
23:21:22.392092 (authentic,confidential): SPI 0xc39392e6: IP 10.100.1.100 > 10.200.1.1: ICMP echo request, id 24034, seq 3652, length 64When I do a packet capture on LAN interface, I don't see any traffic. I have tried several NAT rules but with no desired effect. I hope someone can guide me on how to resolve this.
Thanks & Regards,
Sam
-
@samsaul Did you add rules in the Firewall/IPSec tab on both sides to allow traffic? Try IKEv2 rather than NAT if a Windows environment.
https://docs.netgate.com/pfsense/en/latest/recipes/l2tp-ipsec.html -
Hi @cswroe, thanks for your reply. I have already added the rules under Firewall/IPSec tab. It's not a Windows environment but I'm using IKEv2 on both sides.
I can't find information about the traffic in IPSec tunnel where endpoints are using their NAT addresses. Where and when is the un-NATing taking place?
Thanks & Regards,
Sam -
Are the networks in the same subnet? Really the only thing I can think of. I am guessing you reviewed this: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html
-
Hi @cswroe,
Yes I created the Site-to-Site IPSec with NAT'ing using this link. The tunnel is UP together with Phase 2. I can also see traffic from Site A to Site B. When it enters the Site B and I do a packet capture, I can see the the NAT IP addresses.
Thanks & Regards,
Sam