Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Port Forwarding over IPsec ?

    IPsec
    3
    4
    449
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kris 0 last edited by

      I have two sites, Site 1 (Main) and Site 2 (Remote tower location).
      Both are pfSense 2.6. and the IPsec VTI connection is working between the sites.
      I need an outside port to reach some equipment at Site 2.
      Site 2 is behind a customer firewall that I have no firewall access.
      I want to forward a port from Site 1 thru the Tunnel to Site 2.
      I have tried several options, and I'm missing the critical return path.

      I have tried port forwarding at Site 1 to the address I want to serve at Site 2 ... I can look at the packet capture on Site 2 LAN and see the packet come in, and the device response going back out.
      The problem is the address in the response packet is the real destination, not a NAT address that will get the response back to Site 1 to be sent out to the internet from the Site 1 address.
      I have tried, but not getting the response back correctly to Site 1.

      Could someone lend their expertise and describe this process or point me to the documentation that explains how to allow this to work.

      Thank You,
      Kris

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Kris 0 last edited by

        @kris-0 said in Port Forwarding over IPsec ?:

        The problem is the address in the response packet is the real destination

        Should also work with that, but there are some requirements to obey at least at Site 2:

        • All IPSec tunnels have to be VTI

        • Ensure that in the IPSec Advanced Settings the IPsec Filter Mode is set to "Filter IPsec VTI and Transport on assigned interfaces, block all tunnel mode traffic".

        • Also you have to assign an interface to the IPSec tunnel and define a rule allowing the incoming traffic from the remote site.

        Otherwise you should be masquerade the traffic on the IPSec interace at site 1.

        M 1 Reply Last reply Reply Quote 2
        • K
          Kris 0 last edited by

          Problem Solved !!
          Thank you viragomann that change to the IPsec Filter Mode did the trick.
          Everything works perfectly.

          Note to anyone reading this. I did have a second VPN to the site 2 that I had not mentioned in my explanation and after reading "All IPsec tunnels have to be VTI" I changed that to a VTI also. I also made the assignment of the IPsec tunnel rule to any / any and my forwarded port from site 1 began working to site 2 as soon as I changed the IPsec Filter Mode.

          1 Reply Last reply Reply Quote 0
          • M
            meluvalli @viragomann last edited by

            @viragomann Just wanted to thank you! This was something I had been trying to do as well and solved my problem!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post