PFSense to Cisco - NAT before ipSec



  • Hi, after many hours of trawling the net it looks like this is unsupported? Essentially we need to crate a pfSense to Cisco ipsec tunnell. Phase 1 works fine, but Phase 2 fails.

    We have two options to connect to the client, eitheir NAT our internal LAN to an internal IP they have provided on their side.

    Or NAT our internal LAN to an external public addressable IP that is'nt our firewall's IP.

    Have tried eitheir way, and the furthest was getting Phase 1 to work.

    Which gave the following error on their Cisco:

    "Instead of sending the single public IP address we are receiving your internal 192.168.9.0 networks. See below for debug:

    .Oct 19 16:03:59.924 GMT: IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) INBOUND local= Peer IP, remote= FW IP,
        local_proxy= The remote subnet/255.255.255.252/0/0 (type=4),
        remote_proxy= 192.168.9.0/255.255.255.0/0/0 (type=4),
        protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
        lifedur= 0s and 0kb,
        spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x22
    .Oct 19 16:03:59.924 GMT: Crypto mapdb : proxy_match
            src addr    : The remote subnet
            dst addr    : 192.168.9.0
            protocol    : 0
            src port    : 0
            dst port    : 0

    Now under the Phase 2 settings, setting the local network to:

    Our internal Network, gives the error above.
    Our LAN and their Cisco does'nt get that detail.
    Our external non FW IP, looks like the tunnell does'nt even start our side.
    The IP address their side that we're too NAT to, and there's and error saying it's not on the pfSense box ( which i'd expect ).

    So eitheir i'm missing something fundamental here or it's unsupported? As the tunnel does'nt come up, i saw no point configuring outbound NAT rules as they would process after the tunnell is up?

    Help much appreciated!

    Cheer's,

    James


Log in to reply