Ipsec with 1:1 nat



  • I am trying to set up an ipsec vpn but the remote end needs me to NAT my LAN host from its current IP 10.0.0.10 to 10.233.233.10.  The lan address on the pfsens is 10.0.0.1.  Is there any way to do this?  I have heard that 2.0 may have some ability like this, but I have loaded the 2.0 alpha and can't find anything related.  Can someone shed some light on this for me?

    Julian



  • OK I have found something potentially useful.  This is a description of how someone did it in openBSD. 
    http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html
    I am also including a text copy of the forum post in case the link dies.

    Here is the setup I am trying to use…

    My LAN 172.17.0.0 /24
    VPN connected device 172.17.0.20 -> NAT 10.233.233.20
    Remote LAN 10.73.116.88 /29
    VPN gateway 1.2.3.193

    I am attempting to utilize this concept with PfSense by doing the following...

    1. Create an interface based on a bogus vlan 17 since I don't know how to create a loopback interface in PfSense.
              (This is to give the VPN tunnel a local endpoint which is within the NATed network.)

    2. Assign an IP address to the newly created interface within the network of the NAT address
              (Note that the address assigned to this interface provides a network that contains the address for the 1:1 NAT.)
              "IP address" 10.233.233.1 /24

    3. Create a 1:1 NAT on the newly created interface
              "External Subnet" 10.233.233.20
              "Internal Subnet" 172.17.0.20

    4. Create a static route to the remote network via the newly created interface
              (This should route the traffic destined for the remote network to the newly created interface first so that it can be NAT'ed prior to entering the VPN tunnel)
              "Interface"    LAN
              "Destination"  10.73.116.88/29
              "Gateway"    10.233.233.1

    5. Set up the VPN between the Remote network and the new NAT network
              Interface          WAN
              Local Subnet    (Single Host) 10.233.233.20
              Remote Subnet  10.73.116.88 /29

    I will let you all know if this works.  If anyone knows how to do this using a loopback instead of this kludge please let me know.

    nat-ipsec.txt



  • Unfortunately this is not working.  It did manage to establish a tunnel but I cannot get a connection from end to end.  Can someone please tell me what logs to look at to see where the traffic is being blocked?  By looking at the firewall log, I saw a packet come in from the remote end into my vlan17 interface but I couldn't tell what happened after that.


  • Rebel Alliance Developer Netgate

    Unfortunately, doing NAT before IPsec does not work on pfSense currently.

    There have been other discussions about it on the forum and on the ipsec-tools mailing list. It might be possible in the future, but it isn't something that can be done easily.



  • @jimp:

    Unfortunately, doing NAT before IPsec does not work on pfSense currently.

    There have been other discussions about it on the forum and on the ipsec-tools mailing list. It might be possible in the future, but it isn't something that can be done easily.

    Is this a limitation in freebsd or does it have to do with the way PfSense is doing things.


  • Rebel Alliance Developer Netgate

    It's a limitation of just about everything involved, if I recall correctly. Mainly pf/freebsd and ipsec-tools.

    There used to be a bounty open (check the expired bounties board) for this functionality that had some ideas kicked around. If some funding turned up it might still be possible.

    Edit: Here is the old post:
    http://forum.pfsense.org/index.php/topic,14650.0.html



  • jimp,
      Thanks for the info and the link to the forum post about this.  If I want to try and figure out this system in the hopes of fixing this, where would I go to learn what order the packets get processed in freebsd / pfsense.  Ie. when a packet comes in on interface A who gets it first, routing or ipsec or nat or filter rules etc.


  • Rebel Alliance Developer Netgate

    In that other thread, Ermal seems to imply that it is mainly up to racoon (part of ipsec-tools) to handle this, but it will take some C coding to get it done.

    I don't understand the source of ipsec-tools well enough to comment further (and not for lack of trying, I've tried editing/patching their source for other reasons before and it wasn't a fun experience, mainly due to my lack of C knowledge.)


Log in to reply