Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec site-to-site with NAT on pfSense 2.1

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pingulino
      last edited by

      I need assistance in getting ipsec to work together with NAT.
      I have tunnels from 2 other pfSense firewalls to same remote endpoint and they work fine, only difference in setup is they don't use NAT for ipsec.
      In short, our local network 172.17.4.0/24 must be NAT:ed behind a public ip because of address conflict on remote side with our private network.

      My office network:
      pfSense 2.1
      LAN - 192.168.120.0/24
      WAN - 8.2.3.4/24 GW 8.2.3.254
      Ip Alias on WAN: 19.8.9.2 - 19.8.9.5/29
      19.8.9.3 - Ipsec gateway
      19.8.9.4 - Ipsec NAT

      Xen host 192.168.120.111
      Xen guests:
      network 172.17.4.0/24 (route to this network via 192.168.120.111 added in pfSense)
      gateway & DNS 192.168.120.1 (pfSense)

      No NAT on Xen host
      NAT on pfSense port 80 & 443 to 172.17.4.10 works fine.

      Ipsec

       * Phase 1
      19.8.9.3 = local endpoint
      9.2.2.2 = remote endpoint
      Auth: PSK - Main mode - Identifier 19.8.9.3, Peer IP - AES256 - SHA1 - DH5 - 86400
      NAT Traversal: Force (I have tried all 3).
      
      * Phase 2
      Local Network 172.17.4.0/24
      NAT/BINAT address 19.8.9.4
      Remote Network Address 9.2.2.11 
      ESP - AES256 - SHA1 - PFS off - 3600
      

      All settings specified by remote side, all carefully checked.

      The tunnel is started, yellow "x" on status page. No SAD but 2 SPD.
      If I understand correctly, this means Phase 1 is ok Phase 2 is not - right?
      I have not added any PortForward or Outbound NAT rules, that shouldn't be needed?
      Or is it when using an Ip Alias address, should I change so tunnel connects to my WAN ip instead?

      Firewall rules added fro port 500 & 4500 on WAN, ipsec All-to-All allowed.

      Logs: Starting Ipsec / racoon```

      racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
      racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
      racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
      racoon: DEBUG: call pfkey_send_register for AH
      racoon: DEBUG: call pfkey_send_register for ESP
      racoon: DEBUG: call pfkey_send_register for IPCOMP
      racoon: DEBUG: reading config file /var/etc/ipsec/racoon.conf
      racoon: DEBUG: no check of compression algorithm; not supported in sadb message.
      racoon: DEBUG: getsainfo params: loc='172.17.4.0/24' rmt='9.2.2.11' peer='NULL' client='NULL' id=1
      racoon: DEBUG: open /var/db/racoon/racoon.sock as racoon management.
      racoon: [Self]: INFO: 19.8.9.3[4500] used for NAT-T
      racoon: [Self]: INFO: 19.8.9.3[4500] used as isakmp port (fd=9)
      racoon: [Self]: INFO: 19.8.9.3[500] used for NAT-T
      racoon: [Self]: INFO: 19.8.9.3[500] used as isakmp port (fd=10)
      racoon: DEBUG: pk_recv: retry[0] recv()
      racoon: DEBUG: got pfkey X_SPDDUMP message
      racoon: DEBUG: pfkey X_SPDDUMP failed: No such file or directory
      racoon: DEBUG: pk_recv: retry[0] recv()
      racoon: DEBUG: got pfkey REGISTER message
      racoon: INFO: unsupported PF_KEY message REGISTER
      racoon: DEBUG: pk_recv: retry[0] recv()
      racoon: DEBUG: got pfkey X_SPDADD message
      racoon: DEBUG: pk_recv: retry[0] recv()
      racoon: DEBUG: got pfkey X_SPDADD message
      racoon: DEBUG: sub:0xbfbfe724: 192.168.120.0/24[0] 192.168.120.201/32[0] proto=any dir=in
      racoon: DEBUG: db :0x28501288: 192.168.120.201/32[0] 192.168.120.0/24[0] proto=any dir=out
      racoon: DEBUG: pk_recv: retry[0] recv()
      racoon: DEBUG: got pfkey X_SPDADD message
      racoon: DEBUG: sub:0xbfbfe724: 172.17.4.0/24[0] 9.2.2.11/32[0] proto=any dir=out
      racoon: DEBUG: db :0x28501288: 192.168.120.201/32[0] 192.168.120.0/24[0] proto=any dir=out
      racoon: DEBUG: sub:0xbfbfe724: 172.17.4.0/24[0] 9.2.2.11/32[0] proto=any dir=out
      racoon: DEBUG: db :0x285013c8: 192.168.120.0/24[0] 192.168.120.201/32[0] proto=any dir=in
      racoon: DEBUG: pk_recv: retry[0] recv()
      racoon: DEBUG: got pfkey X_SPDADD message
      racoon: DEBUG: sub:0xbfbfe724: 9.2.2.11/32[0] 19.8.9.4/32[0] proto=any dir=in
      racoon: DEBUG: db :0x28501288: 192.168.120.201/32[0] 192.168.120.0/24[0] proto=any dir=out
      racoon: DEBUG: sub:0xbfbfe724: 9.2.2.11/32[0] 19.8.9.4/32[0] proto=any dir=in
      racoon: DEBUG: db :0x285013c8: 192.168.120.0/24[0] 192.168.120.201/32[0] proto=any dir=in
      racoon: DEBUG: sub:0xbfbfe724: 9.2.2.11/32[0] 19.8.9.4/32[0] proto=any dir=in
      racoon: DEBUG: db :0x28501508: 172.17.4.0/24[0] 9.2.2.11/32[0] proto=any dir=out

      Trying to connect from local subnet:```
      
      racoon: [TNAME ]: INFO: initiate new phase 1 negotiation: 19.8.9.3[500]<=>9.2.2.2[500]
      racoon: INFO: begin Identity Protection mode.
      racoon: DEBUG: new cookie: d47ff5733dff2c7f
      racoon: DEBUG: add payload of len 56, next type 13
      racoon: DEBUG: add payload of len 16, next type 13
      racoon: DEBUG: add payload of len 16, next type 13
      racoon: DEBUG: add payload of len 16, next type 13
      racoon: DEBUG: add payload of len 16, next type 13
      racoon: DEBUG: add payload of len 20, next type 13
      racoon: DEBUG: add payload of len 16, next type 0
      racoon: DEBUG: 212 bytes from 19.8.9.3[500] to 9.2.2.2[500]
      racoon: DEBUG: sockname 19.8.9.3[500]
      racoon: DEBUG: send packet from 19.8.9.3[500]
      racoon: DEBUG: send packet to 9.2.2.2[500]
      racoon: DEBUG: 1 times of 212 bytes message will be sent to 9.2.2.2[500]
      racoon: DEBUG: d47ff573 3dff2c7f 00000000 00000000 01100200 00000000 000000d4 0d00003c 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 80040005 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
      racoon: DEBUG: resend phase1 packet d47ff5733dff2c7f:0000000000000000
      racoon: DEBUG: 212 bytes from 19.8.9.3[500] to 9.2.2.2[500]
      racoon: DEBUG: sockname 19.8.9.3[500]
      racoon: DEBUG: send packet from 19.8.9.3[500]
      racoon: DEBUG: send packet to 9.2.2.2[500]
      racoon: DEBUG: 1 times of 212 bytes message will be sent to 9.2.2.2[500]
      racoon: DEBUG: d47ff573 3dff2c7f 00000000 00000000 01100200 00000000 000000d4 0d00003c 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 80040005 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
      racoon: DEBUG: resend phase1 packet d47ff5733dff2c7f:0000000000000000
      racoon: DEBUG: 212 bytes from 19.8.9.3[500] to 9.2.2.2[500]
      racoon: DEBUG: sockname 19.8.9.3[500]
      racoon: DEBUG: send packet from 19.8.9.3[500]
      racoon: DEBUG: send packet to 9.2.2.2[500]
      racoon: DEBUG: 1 times of 212 bytes message will be sent to 9.2.2.2[500]
      racoon: DEBUG: d47ff573 3dff2c7f 00000000 00000000 01100200 00000000 000000d4 0d00003c 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 80040005 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
      racoon: DEBUG: resend phase1 packet d47ff5733dff2c7f:0000000000000000
      racoon: DEBUG: 212 bytes from 19.8.9.3[500] to 9.2.2.2[500]
      racoon: DEBUG: sockname 19.8.9.3[500]
      racoon: DEBUG: send packet from 19.8.9.3[500]
      racoon: DEBUG: send packet to 9.2.2.2[500]
      racoon: DEBUG: 1 times of 212 bytes message will be sent to 9.2.2.2[500]
      racoon: DEBUG: d47ff573 3dff2c7f 00000000 00000000 01100200 00000000 000000d4 0d00003c 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004 00015180 80010007 800e0100 80030001 80020002 80040005 0d000014 4a131c81 07035845 5c5728f2 0e95452f 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 ec427b1f 0d000014 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100
      racoon: DEBUG: resend phase1 packet d47ff5733dff2c7f:0000000000000000
      racoon: [TNAME ]: [9.2.2.2] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 9.2.2.2[0]->19.8.9.3[0]
      racoon: INFO: delete phase 2 handler.
      
      
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.