Ipsec and portforward issue , from public ip site 1 to host site 2

mvbif · Oct 9, 2024, 11:26 PM

Hello,
I have got 2 pfsense 1 with public ip 1 without, i made an ipsec between both and works as expected.
Now i'm trying to use the public ip on site 1, to reach an host on site 2 with port forwarding (dnat) .
Phase 2 include lan from both side (192.168.20.0/4 , 192.168.30.0/24).

So i was trying from Public ip to reach site 2, using dest and source nat, but packet doesn't leave wan interface.
I can see the packet coming to wan address be natted to site2 host ip, with outbound i got a packet that look site1 lan to site 2 lan, but does not go to the tunnel. If i try testport from the same ip used as snat i see traffic flow the tunnel and reach the host.

What i'm missing?

InternetIP--->WanIp, port forward on 192.168.20.10, using 192.168.30.199 as outbound nat, and i can see 192.168.30.199 to 192.168.20.10 with packet capture on wan interface, so the nat part should be working, but if i put the capture on ipsec int, no packet at all.
If i use the ip 192.168.30.199 with test port to 192.168.20.10 the packet flow the tunnel and reach the host.

:(

Thanks for help

viragomann · Oct 10, 2024, 7:12 PM

@mvbif
This is not going to work with policy-based IPSec.
It work with VTI or any other kind of VPN, however.

mvbif · Oct 10, 2024, 7:12 PM

@viragomann Thanks, for answer, can you tell me where can i find the why behind this? (i searched in this direction but found nothing)
For what i undestood, the outbound nat should be applied after the packet dnat has been routed, but it can't be routed because it's source is not part of phase 2, seems like the route to pfsense 2 exist only for the source that are part of phase2, isn't it? .
But anyway thanks so i can stop trying :) , then i can change ipsec to vti, or source nat it before reach pfsense 1 and add this subnet to phase 2, or using a router inside the the subnet of pfsense 1 to route using is ip to pfsense 2.

Regards

viragomann · Oct 10, 2024, 7:33 PM

@mvbif
Policy-based IPSec strictly connects two networks in a phase 2. And only these two network can communicate.
If you forward traffic from a public IP the source might be outside of these network. So the packets won't be accepted.

Yes, there are two possibilities with policy-based IPSec. You can either source-NAT the packets. But this must be done in the IPSec phase 2 with BINAT and to an IP, which the remote site has defined as remote network in its p2. Conventional outbound NAT would not work.
The second option is to state 0.0.0.0/0 as local network on site 1 and as remote on site 2, but this means, that all upstream traffic from 2 will be routed to 1, which might be undesired.

With VTI, you can assign an interface to the IPSec instance at site 2, where you have to define the firewall rule for inbound from the remote site. So pfSense can apply the reply-to tags to the packets, which is necessary to route response packets back to site 1.