Cannot establish connection on two-way comms like SSH on Phase 2 VIP attached to LAN IP using NAT 1:1
-
Hello there!
As the title say, I cannot establish connection on two-way comms like SSH on Phase 2 VIP attached to LAN IP using NAT 1:1.
Phase 1 and Phase 2 is UP.
Phase 2 Remote IP is 192.168.1.248 and Local IP is 172.16.250.10 (VIP)I created a NAT 1:1 both on LAN interface and IPSec interface which says:
External IP 172.16.250.10 (VIP...)
Internal IP 192.192.168.1.253 (Actual pfSense IP)
To test this out I am trying only SSH at the moment.
I created two rules on the Firewall, one for ICMP and one for SSH.ICMP works fine - Not sure why.
Here is the rule and the Packet Capture respectivelly, of the ICMP and the SSH:Rules:
Packet Capture of the ICMP - Blurred some info because I am not sure what is it for...:
And here is a Packet Capture of a SSH attempt - Which is unsuccessful, with both a telnet test and SSH test itself on log:
As you can see, pfSense did not responded like when doing the ICMP.
This also happens even if I allow all rules on IPSEC and LAN, and also happens in other services like Zabbix ports. For clarification: Yes, SSH is enabled.I want to also inform beforehand that I created a static route for IN → OUT (Which works fine.)
I went here because I am really out of ideas and need some help.
Can someone give me some light on this?Thank you.
-
You can't NAT on an IPSec tunnel like that. If you need to NATyou have to use the BI-NAT field in the Phase 2 setup.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.html
Assuming this is a policy based tunnel (not VTI).
Steve
