IPSec site-to-site with NAT on pfSense 2.1



  • I need assistance in getting ipsec to work together with NAT.
    I have tunnels from 2 other pfSense firewalls to same remote endpoint and they work fine, only difference in setup is they don't use NAT for ipsec.
    In short, our local network 172.17.4.0/24 must be NAT:ed behind a public ip because of address conflict on remote side with our private network.

    My office network:
    pfSense 2.1
    LAN - 192.168.120.0/24
    WAN - 8.2.3.4/24 GW 8.2.3.254
    Ip Alias on WAN: 19.8.9.2 - 19.8.9.5/29
    19.8.9.3 - Ipsec gateway
    19.8.9.4 - Ipsec NAT

    Xen host 192.168.120.111
    Xen guests:
    network 172.17.4.0/24 (route to this network via 192.168.120.111 added in pfSense)
    gateway & DNS 192.168.120.1 (pfSense)

    No NAT on Xen host
    NAT on pfSense port 80 & 443 to 172.17.4.10 works fine.

    Ipsec

     * Phase 1
    19.8.9.3 = local endpoint
    9.2.2.2 = remote endpoint
    Auth: PSK - Main mode - Identifier 19.8.9.3, Peer IP - AES256 - SHA1 - DH5 - 86400
    NAT Traversal: Force (I have tried all 3).
    
    * Phase 2
    Local Network 172.17.4.0/24
    NAT/BINAT address 19.8.9.4
    Remote Network Address 9.2.2.11 
    ESP - AES256 - SHA1 - PFS off - 3600
    

    All settings specified by remote side, all carefully checked.

    The tunnel is started, yellow "x" on status page. No SAD but 2 SPD.
    If I understand correctly, this means Phase 1 is ok Phase 2 is not - right?
    I have not added any PortForward or Outbound NAT rules, that shouldn't be needed?
    Or is it when using an Ip Alias address, should I change so tunnel connects to my WAN ip instead?

    Firewall rules added fro port 500 & 4500 on WAN, ipsec All-to-All allowed.

    Logs: Starting Ipsec / racoon```

    racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
    racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
    racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
    racoon: DEBUG: call pfkey_send_register for AH
    racoon: DEBUG: call pfkey_send_register for ESP
    racoon: DEBUG: call pfkey_send_register for IPCOMP
    racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
    racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
    racoon: DEBUG: getsainfo params: loc='172.17.4.0/24' rmt='9.2.2.11' peer='NULL' client='NULL' id=1
    racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
    racoon: [Self]: INFO: 19.8.9.3[4500] used for NAT-T
    racoon: [Self]: INFO: 19.8.9.3[4500] used as isakmp port (fd=9)
    racoon: [Self]: INFO: 19.8.9.3[500] used for NAT-T
    racoon: [Self]: INFO: 19.8.9.3[500] used as isakmp port (fd=10)
    racoon: DEBUG: pk_recv: retry[0] recv()
    racoon: DEBUG: got pfkey X_SPDDUMP message
    racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
    racoon: DEBUG: pk_recv: retry[0] recv()
    racoon: DEBUG: got pfkey REGISTER message
    racoon: INFO: unsupported PF_KEY message REGISTER
    racoon: DEBUG: pk_recv: retry[0] recv()
    racoon: DEBUG: got pfkey X_SPDADD message
    racoon: DEBUG: pk_recv: retry[0] recv()
    racoon: DEBUG: got pfkey X_SPDADD message
    racoon: DEBUG: sub:0xbfbfe724: 192.168.120.0/24[0] 192.168.120.201/32[0] proto=any dir=in
    racoon: DEBUG: db :0x28501288: 192.168.120.201/32[0] 192.168.120.0/24[0] proto=any dir=out
    racoon: DEBUG: pk_recv: retry[0] recv()
    racoon: DEBUG: got pfkey X_SPDADD message
    racoon: DEBUG: sub:0xbfbfe724: 172.17.4.0/24[0] 9.2.2.11/32[0] proto=any dir=out
    racoon: DEBUG: db :0x28501288: 192.168.120.201/32[0] 192.168.120.0/24[0] proto=any dir=out
    racoon: DEBUG: sub:0xbfbfe724: 172.17.4.0/24[0] 9.2.2.11/32[0] proto=any dir=out
    racoon: DEBUG: db :0x285013c8: 192.168.120.0/24[0] 192.168.120.201/32[0] proto=any dir=in
    racoon: DEBUG: pk_recv: retry[0] recv()
    racoon: DEBUG: got pfkey X_SPDADD message
    racoon: DEBUG: sub:0xbfbfe724: 9.2.2.11/32[0] 19.8.9.4/32[0] proto=any dir=in
    racoon: DEBUG: db :0x28501288: 192.168.120.201/32[0] 192.168.120.0/24[0] proto=any dir=out
    racoon: DEBUG: sub:0xbfbfe724: 9.2.2.11/32[0] 19.8.9.4/32[0] proto=any dir=in
    racoon: DEBUG: db :0x285013c8: 192.168.120.0/24[0] 192.168.120.201/32[0] proto=any dir=in
    racoon: DEBUG: sub:0xbfbfe724: 9.2.2.11/32[0] 19.8.9.4/32[0] proto=any dir=in
    racoon: DEBUG: db :0x28501508: 172.17.4.0/24[0] 9.2.2.11/32[0] proto=any dir=out

    Trying to connect from local subnet:```
    
    racoon: [TNAME ]: INFO: initiate new phase 1 negotiation: 19.8.9.3[500]<=>9.2.2.2[500]
    racoon: INFO: begin Identity Protection mode.
    racoon: DEBUG: new cookie: d47ff5733dff2c7f
    racoon: DEBUG: add payload of len 56, next type 13
    racoon: DEBUG: add payload of len 16, next type 13
    racoon: DEBUG: add payload of len 16, next type 13
    racoon: DEBUG: add payload of len 16, next type 13
    racoon: DEBUG: add payload of len 16, next type 13
    racoon: DEBUG: add payload of len 20, next type 13
    racoon: DEBUG: add payload of len 16, next type 0
    racoon: DEBUG: 212 bytes from 19.8.9.3[500] to 9.2.2.2[500]
    racoon: DEBUG: sockname 19.8.9.3[500]
    racoon: DEBUG: send packet from 19.8.9.3[500]
    racoon: DEBUG: send packet to 9.2.2.2[500]
    racoon: DEBUG: 1 times of 212 bytes message will be sent to 9.2.2.2[500]
    racoon: DEBUG: d47ff573 3dff2c7f 00000000 00000000 01100200 00000000 000000d4 0d00003c 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 80040005 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
    racoon: DEBUG: resend phase1 packet d47ff5733dff2c7f:0000000000000000
    racoon: DEBUG: 212 bytes from 19.8.9.3[500] to 9.2.2.2[500]
    racoon: DEBUG: sockname 19.8.9.3[500]
    racoon: DEBUG: send packet from 19.8.9.3[500]
    racoon: DEBUG: send packet to 9.2.2.2[500]
    racoon: DEBUG: 1 times of 212 bytes message will be sent to 9.2.2.2[500]
    racoon: DEBUG: d47ff573 3dff2c7f 00000000 00000000 01100200 00000000 000000d4 0d00003c 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 80040005 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
    racoon: DEBUG: resend phase1 packet d47ff5733dff2c7f:0000000000000000
    racoon: DEBUG: 212 bytes from 19.8.9.3[500] to 9.2.2.2[500]
    racoon: DEBUG: sockname 19.8.9.3[500]
    racoon: DEBUG: send packet from 19.8.9.3[500]
    racoon: DEBUG: send packet to 9.2.2.2[500]
    racoon: DEBUG: 1 times of 212 bytes message will be sent to 9.2.2.2[500]
    racoon: DEBUG: d47ff573 3dff2c7f 00000000 00000000 01100200 00000000 000000d4 0d00003c 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 80040005 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
    racoon: DEBUG: resend phase1 packet d47ff5733dff2c7f:0000000000000000
    racoon: DEBUG: 212 bytes from 19.8.9.3[500] to 9.2.2.2[500]
    racoon: DEBUG: sockname 19.8.9.3[500]
    racoon: DEBUG: send packet from 19.8.9.3[500]
    racoon: DEBUG: send packet to 9.2.2.2[500]
    racoon: DEBUG: 1 times of 212 bytes message will be sent to 9.2.2.2[500]
    racoon: DEBUG: d47ff573 3dff2c7f 00000000 00000000 01100200 00000000 000000d4 0d00003c 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 80040005 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
    racoon: DEBUG: resend phase1 packet d47ff5733dff2c7f:0000000000000000
    racoon: [TNAME ]: [9.2.2.2] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 9.2.2.2[0]->19.8.9.3[0]
    racoon: INFO: delete phase 2 handler.
    
    

Log in to reply