Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec behind NAT

    Scheduled Pinned Locked Moved IPsec
    11 Posts 2 Posters 723 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @xElectro_FX
      last edited by

      @xElectro_FX
      Did you configure an outbound NAT rule for packets from the remote site?

      X 1 Reply Last reply Reply Quote 0
      • X
        xElectro_FX @viragomann
        last edited by

        @viragomann On PFSense01 Firewall I haven't configured any NAT

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @xElectro_FX
          last edited by

          @xElectro_FX
          You need natting your internal IPs to the WAN IP, when talking to the outside world. pfSense adds rules for local subnets automatically. But if you route traffic from the remote site out to the WAN you have to add rules for that manually.

          Firewall > NAT > Outbound
          Switch to hybrid mode and save this. Then add a rule:
          Interface: WAN
          source: the severs IP
          Dest: any
          Translation: WAN address

          Apart from this, you need to configure your VPN properly. Should work with either policy-based or routed IPSec.

          X 1 Reply Last reply Reply Quote 0
          • X
            xElectro_FX @viragomann
            last edited by

            @viragomann I actually currently have this problem
            69a51ff1-f45f-45d1-acbb-91f398c8a9e7-image.png
            In PFSense01 Firewall

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @xElectro_FX
              last edited by

              @xElectro_FX
              Having the locale and remote set to 0.0.0.0/0 in the p2 might not be a good idea at all.

              X 1 Reply Last reply Reply Quote 0
              • X
                xElectro_FX @viragomann
                last edited by xElectro_FX

                @viragomann I don't know why 0.0.0.0 is shown there, but that's my config

                fba34a3a-8f4c-4fb4-8fda-401e06cba769-image.png

                In this case Remote Gateway is 0.0.0.0 'cause it is in Responder-only mode

                V 2 Replies Last reply Reply Quote 0
                • V
                  viragomann @xElectro_FX
                  last edited by

                  @xElectro_FX
                  So ab it's a vti. Ensure that the remote site is configured accordingly as well.

                  X 1 Reply Last reply Reply Quote 0
                  • X
                    xElectro_FX @viragomann
                    last edited by

                    @viragomann Also PFSense02 is in VTI Mode

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @xElectro_FX
                      last edited by

                      @xElectro_FX
                      And did you policy route the upstream traffic of the server on pf2?

                      X 1 Reply Last reply Reply Quote 0
                      • X
                        xElectro_FX @viragomann
                        last edited by

                        @viragomann Before routing the traffic of Server, I would like PFSense01 and PFSense02 to ping on the VTI interfaces, because from the screenshot that I showed before on PFSense01 there are 0 outbound packets, and I don't now why

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.