Issue with multiple P2 phases using NAT/BINAT on pfSense

vdjurdjevic

I am configuring an IPsec VPN on pfSense with two P2 phases, both using NAT/BINAT. One phase establishes successfully, but the other fails. I’m trying to understand the root cause and how to fix this.

Configuration details:

pfSense version: 2.6.0

P1:

• IKEv2, Mutual PSK
• Local Gateway: WAN IP
• Remote Gateway: 91.232.236.20

P2-1:

• Local Network: DMZ subnet
• NAT/BINAT: 10.66.88.1
• Remote Network: 10.45.5.163/32

P2-2:

• Local Network: DMZ subnet
• NAT/BINAT: 10.66.88.3
• Remote Network: 10.45.213.42/32

I’ve checked the logs under Status > System Logs > IPsec and noticed no match errors for the second phase. Both NAT addresses are unique, and firewall rules allow traffic for both phases."

Is there a limitation with NAT/BINAT when using multiple P2 phases on pfSense? How can I configure this to work correctly?

Thank you in advance for your help!

vdjurdjevic

I see the following log error:

14[CFG] <con9|130509> config: 10.45.213.42/32|/0, received: 10.45.5.163/32|/0 => no match

viragomann

@vdjurdjevic
Are both p2 configured at the remote site as well?

vdjurdjevic

Unfortunately, I don't have control over the gateway on the remote side of the tunnel.

They sent me the following configurations for the ACL

access-list Vakel_Tunnel line 1 extended permit ip host 10.45.5.163 host 10.66.88.1

access-list Vakel_Tunnel line 2 extended permit ip host 10.45.213.42 host 10.66.88.3

The tunnel existed previously with P2_1 and it is functional.

The problems occur when I add P2_2. It is not functional.

viragomann

@vdjurdjevic
It seems, that there is no proper ACL for the second p2, but need to check the whole handshake section of the log to get sure.

I don't think, that there is a limitation on p2 numbers with BINAT. To ensure, just disable the first and check if the other come up then.

vdjurdjevic

When I disable P2_1, which is functional, P2_2 does not come up.

viragomann

@vdjurdjevic
So as expected, the second p2 doesn't work without an impact of another as well.
So I guess, there is something configured wrong at the remote site.

vdjurdjevic

@viragomann Tnank You

vdjurdjevic

I tried to replicate the configuration between two pFsense instances, and I encountered the following:

• When using different NAT/BINAT addresses, only the first SA works.
• When I use the same NAT/BINAT address, everything works perfectly. I assume this is because the network being NATed is the same for both P2s.
• And finally, in the IPsec status, only a single summary connection is visible instead of two.

viragomann

@vdjurdjevic said in Issue with multiple P2 phases using NAT/BINAT on pfSense:

When I use the same NAT/BINAT address, everything works perfectly. I assume this is because the network being NATed is the same for both P2s.

Ah yeah, good catch!

I can imagine, that it would be possible if you use different local addresses (single IPs instead of DMZ).

vdjurdjevic

@viragomann Yes, I think so too.