Need to connect via different subnet over IPSec VPN
-
hello,
I have big problem. I'm new in using pfsense 2.0I need to connect do my SAP HR hosting partner. His requirements:
Lan subnet where is hosted SAP HR is: 172.10.5.0/24, and they are forceing me to use as my local subnet: 172.10.8.0/28
Problem is, I;m using different local subnet: 192.168.0.0/24I cannot make translation from 192.168.0.0/24 to 172.10.8.0/28 (hosting partner accept tunel ONLY between 172.10.5.0/24 <-> 172.10.8.0/28)
What to do ? How to configure pfsense (NAT, VIP, etc. etc. ) :-[
Tunnel is making over IPSec between my public IP (pfsense) and their (cisco).
-
hi,
The tunnel will be established between 172.10.5.0/24 <-> 172.10.8.0/28. So
packets can be send through the tunnel with destination ip 172.10.8.0/28 from your
SAP partner.By using 1:1 NAT, it should be possible to translate the destination ip into your ip-range.
And also the way back by translating the source-IP.
Problem could be the different subnet-size… -
But how to configure NAT 1:1 ?
I cannot send any packets -
hi !
i would try to configure 1:1 NAT:
Firewall > NAT > 1:1
Interface: IPSec
External IP: 172.10.8.0
Internal IP: 192.168.0.0reason: packets from you SAP provider has destination IP 172.10.8.0/28. This should be switched to
192.168.0.0/28 network and also vise versa. problem could be the different subnet-length.thats what i suggest, but i am also new in this area and i am fighting also with NAT and ARP Proxy …
-
You cannot do NAT+IPsec in that way. It doesn't work.
The traffic will never enter the tunnel because it doesn't match the phase 2 on the tunnel, and NAT won't apply because it never gets into the tunnel.
IIRC there are other issues there as well, but it's a known issue that is fairly well documented.
-
hmm. yes, the traffic should fit with phase 2.
packets which are coming from the provider (out of the tunnel) has
Dest-IP: 178.10.8.0/24
Source-IP: 172.10.5.0/24(…. this fits with phase 2.)
after 1:1 NAT (dest) in pfsense, we have
Dest-IP: 192.168.0.0/24
Source-IP: 172.10.5.0/24
..... (Destination IP changed)this packet should reach the destination-host.
the reply from the host hasDest-IP: 172.10.5.0/24
Source-IP: 192.168.0.0/24after 1:1 NAT (source) in pfsense we have for the tunnel
Dest-IP: 172.10.5.0/24
Source-IP: 172.10.8.0/24...this fits again with phase 2
please let me know what is wrong ....
-
for example, tarceroute to 172.10.5.1, from host in subnet 192.168.0.0 shows trace to default gateway and internet and nowhere
not to ipsce tunnel, via 172.10.8.0 to 172.10.5.0 at least :( -
you have to consider, that the IP addresses fits with Phase2 configuration of ipsec,
before you send the packet to the tunnel.
Phase2 is established with 178.10.8.0/24 and 172.10.5.0/24. only these addresses accepted
by the vpn. but you want to send a packet with 192.168.0.0 and 172.10.5.0/24 -
On the subject of NAT before IPsec VPN (not supported in pfsense 2.0), you can also read http://redmine.pfsense.org/issues/1855