IPSec with Public IPs - traffic routing out WAN instead of IPSec interface



  • All-

    So I have a client with an interesting issue.  They are using pfSense 2.0.1 to connect to a trading partner.  This partner requires the use of an IPSec encrypted tunnel using PUBLIC IP addresses.

    The protected networks happen to be the IP address of the WAN interface on our end and two addresses on their end (essentially a /31 network).

    We have the tunnel configured, and it shows as green in pfSense.  They report that the tunnel shows up on their end as well.

    The problem is that pings to either of the two IPs on their end are being routed out the WAN interface and not out the IPSec interface!  ???

    Is there any way to fix this?

    We had this exact configuration working with a Cisco ASA5510, but that box has been retired in favor of the pfSense virtual machine.

    HELP!!

    Thanks in advance,
    Rick


  • Rebel Alliance Developer Netgate

    You can't use NAT+IPsec to do that on 2.0.x.

    You need pfSense 2.1, and in the IPsec Phase 2, define the LAN network and in the NAT box underneath it, put in the public IP address to which the LAN traffic will NAT on the tunnel.



  • Is there a new How-To for IPSEC+NAT that shows what settings are required?  I'm trying to set this up now and having some problems.  Would be nice to at least know what settings need to be added in addition to the new NAT field in IPSEC config.  Also how to configure 1:1 and 1:many NAT to go through the tunnel, even a couple screen shots would be great to know how it's intended to be configured.

    Thanks,
    Steve


  • Rebel Alliance Developer Netgate

    Nothing needs added except the NAT field.

    If you use a local IP to remote IP, it does binat (1:1) and it also does that for subnet to subnet.

    If you do subnet to address it does nat/pat/overload/whatever you want to call it.

    No other NAT settings are needed.



  • @jimp:

    Nothing needs added except the NAT field.

    If you use a local IP to remote IP, it does binat (1:1) and it also does that for subnet to subnet.

    If you do subnet to address it does nat/pat/overload/whatever you want to call it.

    No other NAT settings are needed.

    Hey Jimp,
    Thanks for the prompt response!!!

    Your description didn't quite fit my situation since I'm doing a NAT to public IPs both 1:1 and overload and tunneling my public IPs across to the remote site.  I have green tunnel status now so I think that's solved the IPSEC+NAT problem at least.

    Just to help any others that might be trying the IPSEC+NAT with Public IP's here is how I configured mine using bogus IPs:

    1:1 NAT
    Local Network:
    Type: Address
    Address: 192.168.100.10
    NAT/BINAT
    Type: Address
    Address: 4.4.4.4

    Remote Network:
    Type: Address
    Address: 172.16.100.50

    1:Many, Overload, PAT
    Local Network:
    Type: network
    Address: 192.168.100.0/24
    NAT/BINAT
    Type: Address
    Address: 4.4.4.5

    Remote Network:
    Type: Address
    Address: 172.16.100.44

    Steve



  • This may be off base, but wouldn't this be transport mode and not tunnel?  Transport mode encrypts between public IP's, most commonly seen used when a machine floats on the Internet without a firewall but I would think could also connect to the "public" IP(s) of a firewall to simply encrypt information originating from there?  The traffic would flow out of the WAN interface but that's how it should be?

    @c3llc:

    All-

    So I have a client with an interesting issue.   They are using pfSense 2.0.1 to connect to a trading partner.   This partner requires the use of an IPSec encrypted tunnel using PUBLIC IP addresses.

    The protected networks happen to be the IP address of the WAN interface on our end and two addresses on their end (essentially a /31 network).

    We have the tunnel configured, and it shows as green in pfSense.   They report that the tunnel shows up on their end as well.

    The problem is that pings to either of the two IPs on their end are being routed out the WAN interface and not out the IPSec interface!   ???

    Is there any way to fix this?

    We had this exact configuration working with a Cisco ASA5510, but that box has been retired in favor of the pfSense virtual machine.

    HELP!!

    Thanks in advance,
    Rick


Log in to reply