IPsec with NAT reflection

  • I have a situation where I have two LANs connected via an IPsec tunnel. On one end is an exchange server with ports forwarded to a public virtual IP address, and on one end there is a computer with a public IP address that also has a tunnel through the IPsec tunnel. Other computers on LAN B can connect to the Exchange server's public IP address, but the computer with the public IP address cannot.

    CARP Virtual IP for Exchange
    router----------- IPsec ------------------router
      |                             -----------| |----------
    -LAN A -----------              |                      |
    |Exchange Server |           LAN B            web server with public address

    The Exchange server has ports forwarded from the Virtual IP to its services on an internal address on LAN A.

    The problem is that the web server is unable to connect to the Exchange server's virtual IP. I can watch the public interface for LAN A with tcpdump or with pfSense's firewall log. pfSense allows SMTP packets through, but I don't see them exit anywhere. Using tcpdump, I don't see them on enc0 or on LAN A's public interface.

    I have a temporary solution in place using a hosts file so that the web server connects to the exchange server's private address, but it's not what I consider an ideal solution. What I really want to know is what is confusing pfSense on LAN A about SMTP packets from the web server.

    Other computer on LAN B can connect to the exchange server's public address, as can computers on LAN A. The only computer with a problem is the web server, and I'm sure it has something to do with it only having a public IP address.

    PS Computers on LAN B connect to exchange's virtual IP through the internet, not IPsec. SMTP works fine for them. For some reason, when the web server sends the same request to Exchange, pfSense drops the packet somewhere, or doesn't forward it.

Log in to reply