IPSEC with NAT
We are trying to connect to one of our client using IPSEC tunnel but with no luck. We have the following configuration.
Client Network <-> Client VPN Server <===========> Our pfsense Server <-> Our Internal machine
Linux CISCO 7206/IOS 12.1 pfsense Linux
B.B.B.B/y A.A.A.A C.C.C.C 10.1.1.30
The Client has a requirement that both pfsense and Our internal machine should have official IP's (no private IP's), but they said 1:1 NAT should work. We gave our internal machine a private IP and using pfsense to do 1:1 NAT. We asked the client to debug on their Cisco VPN switch and see what messages they are seeing when we try to create a tunnel. The client is telling us that they see our internal IP (10.1.1.30) and not the official IP D.D.D.D as described below. Below is the configuration we have received from our client and the way we have confiured it on our pfsense machine. Any help would be appreciated.
Configuration received from the Client to open a tunnel.
Client Public IP Adress: A.A.A.A
Accessible Client network (public): B.B.B.B/Y
our VPN public IP Address: C.C.C.C (our pfsense box)
our Machine running Linux : D.D.D.D
Encryption: ESP- 3DES with MD5
DH Group: 3DES Group 2 (1024 bit prime)
Vendor Id: Disabled
Perfect Forward Secrecy: disabled
IKE SA lifetime: 86400 seconds
IPSEC SA Lifetime: 7200 seconds
PSK : Customer PSK Key
Our Pfsense configration,
Local subnet : single host, D.D.D.D
Remote subnet: B.B.B.B/Y
Remote gateway: A.A.A.A
Negotiation mode: aggressive
My identifier: my IP Address
Encryption algorithm: 3DES
Hash Algorithm: MD5
DH Key group: 2
Authentication method: PSK : Customer PSK key
Hash Algorithm: MD5
PFS key group: off
We have 1:1 NAT enabled such that D.D.D.D is mapped to 10.1.1.30.
The problem is if we set Local subnet : single host, D.D.D.D then on the client side they don't see any activity but if we change it to 10.1.1.30 then Client side see some activity but they are seeing 10.1.1.30 on the CISCO router on their side and it drops the tunnel.
We spoke with their tech support they are saying some how our 1:1 NAT is sending internal IP and not our D.D.D.D
Please test http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-20-06/ which includes NAT-T support.
No luck even after upgrading to the latest pfSense-Full-Update-1.0-SNAPSHOT-09-20-06. Same errors. Below is the error log.
Sep 21 18:52:54 racoon: ERROR: unknown notify message, no phase2 handle found.
Sep 21 18:52:54 racoon: INFO: initiate new phase 2 negotiation: C.C.C.C<=>A.A.A.A
Sep 21 18:52:53 racoon: INFO: ISAKMP-SA established C.C.C.C-A.A.A.A spix
Sep 21 18:52:53 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Sep 21 18:52:53 racoon: INFO: begin Aggressive mode.
Sep 21 18:52:53 racoon: INFO: initiate new phase 1 negotiation: C.C.C.C<=>A.A.A.A
Sep 21 18:52:53 racoon: INFO: IPsec-SA request for 22.214.171.124 queued due to no phase1 found.
Sep 21 18:52:52 racoon: INFO: 10.1.1.1 used for NAT-T
Sep 21 18:52:52 racoon: INFO: 10.1.1.1 used as isakmp port (fd=21)
Sep 21 18:52:52 racoon: INFO: x%nve0 used as isakmp port (fd=20)
Sep 21 18:52:52 racoon: ERROR: failed to bind to address C.C.C.C (Address already in use).
Sep 21 18:52:52 racoon: INFO: x%rl0 used as isakmp port (fd=19)
Sep 21 18:52:52 racoon: INFO: x%rl1 used as isakmp port (fd=18)
Sep 21 18:52:52 racoon: INFO: 127.0.0.1 used for NAT-T
Sep 21 18:52:52 racoon: INFO: 127.0.0.1 used as isakmp port (fd=17)
Sep 21 18:52:52 racoon: INFO: ::1 used as isakmp port (fd=16)
Sep 21 18:52:52 racoon: INFO: x::1%lo0 used as isakmp port (fd=15)
Sep 21 18:52:52 racoon: INFO: C.C.C.C used for NAT-T
Sep 21 18:52:52 racoon: INFO: C.C.C.C used as isakmp port (fd=14)
Sep 21 18:52:52 racoon: INFO: x%ng1 used as isakmp port (fd=13)
Sep 21 18:52:52 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Sep 21 18:52:52 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Have a look at http://doc.m0n0.ch/handbook-single/#id2608349 . Maybe you find something obvious by viewing this howto.
Did the nat-t stuff get removed from the snapshots?
ok, good to know.
I guess since nothing worked for us we should assume NAT-T is not fully functional. We ended up adding an additional NIC to our pfsense machine and bridging it with WAN to assign the official IP to our internal server. We are hoping that soon pfsense will have NAT-T support and we should be able to utilize it.
Thanks for everyone's help and goodluck!
NAT-T will not be included in 1.0.
Maybe 1.1 or in the future.