Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Help with NAT+IPsec on 2.1

    IPsec
    3
    6
    1551
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DesmoDax last edited by

      Hi all, I have a problem with NAT before IpSec… using 2.1.
      I'm trying to NAT to a single address, but if i tcpdump on enc0 I see the packet coming from not-natted address. Maybe I have to define the NAT address in Virtual IPs or something else that i forgot?

      The tunnel goes UP correctly but there is something in phase2/nat that doesnt work like expected.

      I try to explain scenario:
      My pfSense box: 192.168.72.254 (CARP ADDRESS)

      192.168.72.x -> pfSense2.1-with-tunnel-ipsec -> nat to 192.168.201.209 -> send throught tunnel -> reach network 192.168.33.x

      The remote endpoint only accept packets from 192.168.201.209

      If I use tcpdump, i see that address is not translated like this:
      --> 08:29:35.981852 (authentic,confidential): SPI 0x0d5e5937: IP 192.168.72.5 > 192.168.33.70: ICMP echo request, id 1874, seq 1, length 64

      If I look on nat table I see the correct rule:
      --> nat on enc0 inet from 192.168.72.0/24 to 192.168.33.0/24 -> 192.168.201.209

      Last info... I'm using CARP in LAN and in WAN interfaces

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • D
        DesmoDax last edited by

        –UPDATE--

        Ok, the configuration is correct and now is working correctly.

        The only thing that's is fuorviating is the tcpdump result. The remote endpoint see the correct natted ip, but tcpdump on enc0 shows the not-natted ip.

        1 Reply Last reply Reply Quote 0
        • D
          dottorkame last edited by

          Hi, can you say me how it's your configuration?

          I'm having some troubles.
          I have a IPsec VPN working correctly, now i've to create two IPsec VPN with outbound NAT, but it doesn't work. I'm going mad!

          My configuration is:

          Pfsense 2.1 with public IP on WAN interface

          LAN interface with 192.168.16.0/23 that I've to nat with 172.16.106.0/23 network

          I've tryed to put this network in the phase 2 configuration and in the outbound NAT rules, but I alway get the same error in phase2 Can you please help me?

          1 Reply Last reply Reply Quote 0
          • D
            dottorkame last edited by

            I also put 172.16.106.1 as the IP alias on the LAN's firewall IP

            1 Reply Last reply Reply Quote 0
            • J
              jleandro last edited by

              dottorkame

              I did the same, without success…

              Unfortunately I need to solve my problem (for while) with a linux box making a NAT before the pfSense LAN interface.
              So, I'll try a new installation of pfSense, in a new test enviroment.

              and (everybody) sorry for posting the same subject in another post, only after read more carefully i saw the problem is common to many others.

              tks

              jleandro.
              –---------

              1 Reply Last reply Reply Quote 0
              • D
                DesmoDax last edited by

                Hi all, my enviroment is a little different. In my conf I nat to a single address. Is a "one-way" configuration.

                I never tested the configuration with the bi-nat. (nat of entire network)

                I confirm that works fine, with nat on single addres, and a fortinet gateway on the other side.
                I add that works fine with 2 phase2, with different source networks. This is needed to grant access also from openvpn roaming users.

                Can I help you little more if you send the real configuration and the log with racoon in debug mode.

                Bye

                DavideDB

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post