IPsec & Firewall rules / NAT



  • I experience troubles when trying to establish an IPsec connection between home with dynamic IP and the office with a static one.
    Home is set up as mobile client with a Lan subnet of 192.168.2.0/24 and office has a static public IP with 192.168.100.0/24 as LAN subnet. Setup is from HOBA's tutorial still with 1200s lifetime for both phases and sides.

    Just to make sure, please correct my ruleset if anything is wrong:

    home:
    NAT:  WAN        UDP    500    192.168.2.3 (ext.: )    500                UDP 500 for IPsec
    NAT:  WAN        ESP              192.168.2.3 (ext.: )                          ESP for IPsec
    RULE: ESP        *    *        WAN address            *        *          NAT ESP for IPsec
    RULE: UDP        *        *        WAN address            500    *          NAT UDP500 for IPsec

    office:
    NAT:  WAN        UDP    500    192.168.100.99 (ext.: )    500                UDP 500 for IPsec
    NAT:  WAN        ESP              192.168.100.99 (ext.: )                          ESP for IPsec
    RULE: ESP        *    *        gateway                      *        *          NAT ESP for IPsec
    RULE: UDP        *        *        gateway                      500    *          NAT UDP500 for IPsec

    gateway is an alias for the pfSense LAN address (192.168.100.99) at office side.

    Which entry is correct - ESP to WAN or LAN host (alias: gateway)?

    Further on, I have no SAD or SPD on static side whereas I get an SPD entry on the dynamic side but no SAD since the tunnel is not up.
    This might be ok.

    On systemlogs|firewall tab at home I have racoon pares errors. These do not show up at office side…

    Anyone?



  • Since there are so many views of this topic I post what finally worked for me and might help others.
    Maybe Hoba adds it to his tutorial…

    both sides:
    RULE: AH          *        *        WAN address              *      *          AH for IPsec
    RULE: ESP        *        *        WAN address              *      *          ESP for IPsec
    RULE: UDP        *        *        WAN address              500    *          UDP500 for IPsec

    If you use the settings from pfSense (which is ESP as Phase 2 protocol), you don't need the AH rule.

    Do not use any NAT rules, this is not necessary and NAT-traversal (NAT-T) of IPsec is a task on its own.
    This usually would require UDP4500 and other things I am not familiar with.
    Have a look here:  http://en.wikipedia.org/wiki/NAT_traversal


Locked