IPSEC with NAT



  • We are trying to connect to one of our client using IPSEC tunnel but with no luck. We have the following configuration.

    Client Network <-> Client VPN Server <===========> Our pfsense Server <-> Our Internal machine
      Linux                  CISCO 7206/IOS 12.1                            pfsense                      Linux               
    B.B.B.B/y                A.A.A.A                                          C.C.C.C                    10.1.1.30

    The Client has a requirement that both pfsense and Our internal machine should have official IP's (no private IP's), but they said 1:1 NAT should work. We gave our internal machine a private IP and using pfsense to do 1:1 NAT. We asked the client to debug on their Cisco VPN switch and see what messages they are seeing when we try to create a tunnel. The client is telling us that they see our  internal IP (10.1.1.30) and not the official IP D.D.D.D as described below. Below is the configuration we have received from our client and the way we have confiured it on our pfsense machine. Any help would be appreciated.

    Configuration received from the Client to open a tunnel.

    Client Public IP Adress: A.A.A.A
    Accessible Client network (public): B.B.B.B/Y
    our VPN public IP Address: C.C.C.C (our pfsense box)
    our Machine running Linux : D.D.D.D
    Encryption: ESP- 3DES with MD5
    DH Group: 3DES Group 2 (1024 bit prime)
    Vendor Id: Disabled
    Perfect Forward Secrecy: disabled
    Compression: disabled
    IKE SA lifetime: 86400 seconds
    IPSEC SA Lifetime: 7200 seconds
    PSK : Customer PSK Key

    Our Pfsense configration,

    Interface: WAN
    Local subnet : single host, D.D.D.D
    Remote subnet:  B.B.B.B/Y
    Remote gateway: A.A.A.A
    Negotiation mode: aggressive

    Phase1:
    My identifier: my IP Address
    Encryption algorithm: 3DES
    Hash Algorithm: MD5
    DH Key group: 2
    Lifetime: 86400
    Authentication method: PSK : Customer PSK key

    Phase 2:
    Protocol: ESP
    Encryption: 3DES
    Hash Algorithm: MD5
    PFS key group: off
    Lifetime: 7200

    We have 1:1 NAT  enabled such that D.D.D.D is mapped to 10.1.1.30.
    The problem is if we set Local subnet : single host, D.D.D.D then on the client side they don't see any activity but if we change it to 10.1.1.30 then Client side see some activity but they are seeing 10.1.1.30 on the CISCO router on their side and it drops the tunnel.
    We spoke with their tech support they are saying some how our 1:1 NAT is sending internal IP and not our D.D.D.D



  • Please test http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-20-06/ which includes NAT-T support.



  • No luck even after upgrading to the latest pfSense-Full-Update-1.0-SNAPSHOT-09-20-06. Same errors. Below is the error log.

    Sep 21 18:52:54 racoon: ERROR: unknown notify message, no phase2 handle found.
    Sep 21 18:52:54 racoon: INFO: initiate new phase 2 negotiation: C.C.C.C[500]<=>A.A.A.A[500]
    Sep 21 18:52:53 racoon: INFO: ISAKMP-SA established C.C.C.C[500]-A.A.A.A[500] spi❌x
    Sep 21 18:52:53 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Sep 21 18:52:53 racoon: INFO: begin Aggressive mode.
    Sep 21 18:52:53 racoon: INFO: initiate new phase 1 negotiation: C.C.C.C[500]<=>A.A.A.A[500]
    Sep 21 18:52:53 racoon: INFO: IPsec-SA request for 194.39.131.167 queued due to no phase1 found.
    Sep 21 18:52:52 racoon: INFO: 10.1.1.1[500] used for NAT-T
    Sep 21 18:52:52 racoon: INFO: 10.1.1.1[500] used as isakmp port (fd=21)
    Sep 21 18:52:52 racoon: INFO: x%nve0[500] used as isakmp port (fd=20)
    Sep 21 18:52:52 racoon: ERROR: failed to bind to address C.C.C.C[500] (Address already in use).
    Sep 21 18:52:52 racoon: INFO: x%rl0[500] used as isakmp port (fd=19)
    Sep 21 18:52:52 racoon: INFO: x%rl1[500] used as isakmp port (fd=18)
    Sep 21 18:52:52 racoon: INFO: 127.0.0.1[500] used for NAT-T
    Sep 21 18:52:52 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=17)
    Sep 21 18:52:52 racoon: INFO: ::1[500] used as isakmp port (fd=16)
    Sep 21 18:52:52 racoon: INFO: x::1%lo0[500] used as isakmp port (fd=15)
    Sep 21 18:52:52 racoon: INFO: C.C.C.C[500] used for NAT-T
    Sep 21 18:52:52 racoon: INFO: C.C.C.C[500] used as isakmp port (fd=14)
    Sep 21 18:52:52 racoon: INFO: x%ng1[500] used as isakmp port (fd=13)
    Sep 21 18:52:52 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
    Sep 21 18:52:52 racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)



  • Have a look at http://doc.m0n0.ch/handbook-single/#id2608349 . Maybe you find something obvious by viewing this howto.



  • Did the nat-t stuff get removed from the snapshots?

    nb



  • Yeah



  • @sullrich:

    Yeah

    ok, good to know. 
    Thanks

    nb



  • I guess since nothing worked for us we should assume NAT-T is not fully functional. We ended up adding an additional NIC to our pfsense machine and bridging it with WAN to assign the official IP to our internal server. We are hoping that soon pfsense will have NAT-T support and we should be able to utilize it.
    Thanks for everyone's help and goodluck!



  • NAT-T will not be included in 1.0.

    Maybe 1.1 or in the future.


Locked