Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with multiple P2 phases using NAT/BINAT on pfSense

    Scheduled Pinned Locked Moved IPsec
    11 Posts 2 Posters 532 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vdjurdjevic
      last edited by

      I am configuring an IPsec VPN on pfSense with two P2 phases, both using NAT/BINAT. One phase establishes successfully, but the other fails. I’m trying to understand the root cause and how to fix this.

      Configuration details:

      pfSense version: 2.6.0

      P1:

      • IKEv2, Mutual PSK
      • Local Gateway: WAN IP
      • Remote Gateway: 91.232.236.20

      P2-1:

      • Local Network: DMZ subnet
      • NAT/BINAT: 10.66.88.1
      • Remote Network: 10.45.5.163/32

      P2-2:

      • Local Network: DMZ subnet
      • NAT/BINAT: 10.66.88.3
      • Remote Network: 10.45.213.42/32

      I’ve checked the logs under Status > System Logs > IPsec and noticed no match errors for the second phase. Both NAT addresses are unique, and firewall rules allow traffic for both phases."

      Is there a limitation with NAT/BINAT when using multiple P2 phases on pfSense? How can I configure this to work correctly?

      Thank you in advance for your help!

      1 Reply Last reply Reply Quote 0
      • V
        vdjurdjevic
        last edited by

        I see the following log error:

        14[CFG] <con9|130509> config: 10.45.213.42/32|/0, received: 10.45.5.163/32|/0 => no match

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @vdjurdjevic
          last edited by

          @vdjurdjevic
          Are both p2 configured at the remote site as well?

          1 Reply Last reply Reply Quote 0
          • V
            vdjurdjevic
            last edited by vdjurdjevic

            Unfortunately, I don't have control over the gateway on the remote side of the tunnel.

            They sent me the following configurations for the ACL

            access-list Vakel_Tunnel line 1 extended permit ip host 10.45.5.163 host 10.66.88.1

            access-list Vakel_Tunnel line 2 extended permit ip host 10.45.213.42 host 10.66.88.3

            The tunnel existed previously with P2_1 and it is functional.

            The problems occur when I add P2_2. It is not functional.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @vdjurdjevic
              last edited by

              @vdjurdjevic
              It seems, that there is no proper ACL for the second p2, but need to check the whole handshake section of the log to get sure.

              I don't think, that there is a limitation on p2 numbers with BINAT. To ensure, just disable the first and check if the other come up then.

              1 Reply Last reply Reply Quote 0
              • V
                vdjurdjevic
                last edited by

                When I disable P2_1, which is functional, P2_2 does not come up.

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @vdjurdjevic
                  last edited by

                  @vdjurdjevic
                  So as expected, the second p2 doesn't work without an impact of another as well.
                  So I guess, there is something configured wrong at the remote site.

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    vdjurdjevic @viragomann
                    last edited by

                    @viragomann Tnank You

                    1 Reply Last reply Reply Quote 0
                    • V
                      vdjurdjevic
                      last edited by

                      I tried to replicate the configuration between two pFsense instances, and I encountered the following:

                      • When using different NAT/BINAT addresses, only the first SA works.
                      • When I use the same NAT/BINAT address, everything works perfectly. I assume this is because the network being NATed is the same for both P2s.
                      • And finally, in the IPsec status, only a single summary connection is visible instead of two.

                      1c61d5d2-2203-427e-b6bf-a2aff053cc3e-image.png

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @vdjurdjevic
                        last edited by

                        @vdjurdjevic said in Issue with multiple P2 phases using NAT/BINAT on pfSense:

                        When I use the same NAT/BINAT address, everything works perfectly. I assume this is because the network being NATed is the same for both P2s.

                        Ah yeah, good catch!

                        I can imagine, that it would be possible if you use different local addresses (single IPs instead of DMZ).

                        V 1 Reply Last reply Reply Quote 0
                        • V
                          vdjurdjevic @viragomann
                          last edited by

                          @viragomann Yes, I think so too.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.