One-way NAT over IPSec?



  • Hello,

    I apologize if this question is over-asked but I didn't see it in the FAQ.

    I understand that only pfSense 2.0 supports 1:1 NAT over an IPSEC tunnel, and that version 2.0 is not yet considered production-ready.

    Is it possible to do just a one-way NAT over an IPSEC tunnel in version 1.2.3?  My branch offices need to access servers at my datacenter and the branch offices' LAN subnets overlap, but my datacenter servers don't need to access any resources at the branch offices.

    Thanks,

    Todd


  • Rebel Alliance Developer Netgate

    Actually NAT+IPsec is still not possible even on 2.0. If you have overlapping subnets and you are forced to use IPsec, you'll need to setup a second box to translate through, like so:

    Main Firewall, IPsec tunnel between "fixed" subnet and remote site, LAN interface as usual, second internal interface on the "fixed" subnet.
    Second "VPN" firewall sitting on the "fixed" subnet on its "WAN" connected to the main firewall. LAN subnet is the same as the LAN side of the main firewall, but a different IP. This box's job is just to translate between subnets.
    Main firewall gets a static route that points traffic headed for the remote subnet to the VPN router instead, which should make the NAT happen, and then when the NAT goes out via the main firewall it's on the right subnet, will match the IPsec SPD, and go over the tunnel as you like.

    That method should work on 1.2.3 or 2.0.



  • Hello,

    OK.  Is NAT+OpenVPN also not possible with one pfSense machine?

    Thanks,

    Todd


  • Rebel Alliance Developer Netgate

    NAT+OpenVPN works fine, you can NAT in either direction. To NAT outbound, just assign the OpenVPN interface as an OPT interface, and then you can do whatever you like with it, it acts like a separate WAN.



  • @jimp:

    NAT+OpenVPN works fine, you can NAT in either direction. To NAT outbound, just assign the OpenVPN interface as an OPT interface, and then you can do whatever you like with it, it acts like a separate WAN.

    Can confirm this but had huge issues doing so because I was tricked by nat/state table keeping the state of my icmp to some invalid destination even though the openvpn went up and down.

    What I had to do was create a script that flushes only the states between my source subnet and the destination subnets on the other side of the openvpn tunnel, and run it on pfsense client openvpn advanced configuration section like this:
    route-up "/usr/local/bin/FlushOpenVPN-Nat"

    the script is simply like this:
    #!/bin/sh

    /sbin/pfctl -k 192.168.254.0/24 -k 172.20.0.0/16
    /sbin/pfctl -k 192.168.254.0/24 -k 172.30.0.0/16
    /sbin/pfctl -k 192.168.254.0/24 -k 10.31.0.0/16



  • @jimp:

    Actually NAT+IPsec is still not possible even on 2.0. If you have overlapping subnets and you are forced to use IPsec, you'll need to setup a second box to translate through, like so:

    Main Firewall, IPsec tunnel between "fixed" subnet and remote site, LAN interface as usual, second internal interface on the "fixed" subnet.
    Second "VPN" firewall sitting on the "fixed" subnet on its "WAN" connected to the main firewall. LAN subnet is the same as the LAN side of the main firewall, but a different IP. This box's job is just to translate between subnets.
    Main firewall gets a static route that points traffic headed for the remote subnet to the VPN router instead, which should make the NAT happen, and then when the NAT goes out via the main firewall it's on the right subnet, will match the IPsec SPD, and go over the tunnel as you like.

    That method should work on 1.2.3 or 2.0.

    Maybe this post will give some tips about implements it in one box
    http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html


Locked