IPSEC and NAT
-
Hello everyone,
I submit my problem. I need to create an IPSEC vpn with an institution which must reach a machine present in my DMZ (192.168.0.0/24). This institution, however, must reach the machine in the DMZ network pointing to a network set from them (10.210.xx/29). I then proceeded to create a VPN IPSEC putting the 10.210.xx as a local network and the network as a remote entity (10.50.xx/29). I then created a port forwarding on the IPSEC interface for connections to ftp direct to 10.210.xx, forwarding the connections to a machine of 192.168.0.0/24 DMZ network. I then started the vpn, which is established correctly. I noticed, however, that on pfSense, in the routing table, I can not find a route for the 10.50.xx/29. Addition, the institution can not reach my ftp server present in the DMZ. In your opinion this is a configuration that is manageable from pfSense (version 2.0.1)? Have you any idea what could be the problem? Thank you.
-
Since you want to present your DMZ through the VPN you should configure 192.168.0.0/24 as local network for the VPN. No port forwarding is required - you will have direct routing through the tunnel.
Then add some firewall rules on the IPSEC interface. -
Since you want to present your DMZ through the VPN you should configure 192.168.0.0/24 as local network for the VPN. No port forwarding is required - you will have direct routing through the tunnel.
Then add some firewall rules on the IPSEC interface.My local network must be the network choose by the institution (10.210.xx/29), I have no choice, because they must reach the machine in pointing to the network set from them. If I configure 192.168.0.0/24 as local network, the VPN does not work, because there is a mismatch between networks configured in pfSense and networks configured on the institution router.
-
You won't see route for the IPSEC.
How does the port forwarding rule look like? -
You won't see route for the IPSEC.
How does the port forwarding rule look like?Port forwarding is:
If IPsec Proto TCP Src. addr * Src. ports * Dest. addr 10.210.x.x/29 Dest. ports 21 NAT IP 192.168.0.x NAT ports 21 -
NAT before IPsec was implemented in 2.1: http://blog.pfsense.org/?p=712
As far as I know, it never worked before (I haven't tested on 2.1, but it's supposed to work)
-
thank you, I do some testing with the 2.1 and I'll know.