Help with NAT+IPsec on 2.1

DesmoDax · Oct 29, 2013, 7:55 AM

Hi all, I have a problem with NAT before IpSec… using 2.1.
I'm trying to NAT to a single address, but if i tcpdump on enc0 I see the packet coming from not-natted address. Maybe I have to define the NAT address in Virtual IPs or something else that i forgot?

The tunnel goes UP correctly but there is something in phase2/nat that doesnt work like expected.

I try to explain scenario:
My pfSense box: 192.168.72.254 (CARP ADDRESS)

192.168.72.x -> pfSense2.1-with-tunnel-ipsec -> nat to 192.168.201.209 -> send throught tunnel -> reach network 192.168.33.x

The remote endpoint only accept packets from 192.168.201.209

If I use tcpdump, i see that address is not translated like this:
--> 08:29:35.981852 (authentic,confidential): SPI 0x0d5e5937: IP 192.168.72.5 > 192.168.33.70: ICMP echo request, id 1874, seq 1, length 64

If I look on nat table I see the correct rule:
--> nat on enc0 inet from 192.168.72.0/24 to 192.168.33.0/24 -> 192.168.201.209

Last info... I'm using CARP in LAN and in WAN interfaces

Any ideas?

DesmoDax · Oct 30, 2013, 8:52 PM

–UPDATE--

Ok, the configuration is correct and now is working correctly.

The only thing that's is fuorviating is the tcpdump result. The remote endpoint see the correct natted ip, but tcpdump on enc0 shows the not-natted ip.

dottorkame · Nov 7, 2013, 3:38 PM

Hi, can you say me how it's your configuration?

I'm having some troubles.
I have a IPsec VPN working correctly, now i've to create two IPsec VPN with outbound NAT, but it doesn't work. I'm going mad!

My configuration is:

Pfsense 2.1 with public IP on WAN interface

LAN interface with 192.168.16.0/23 that I've to nat with 172.16.106.0/23 network

I've tryed to put this network in the phase 2 configuration and in the outbound NAT rules, but I alway get the same error in phase2 Can you please help me?

dottorkame · Nov 7, 2013, 3:40 PM

I also put 172.16.106.1 as the IP alias on the LAN's firewall IP

jleandro · Nov 8, 2013, 12:47 AM

dottorkame

I did the same, without success…

Unfortunately I need to solve my problem (for while) with a linux box making a NAT before the pfSense LAN interface.
So, I'll try a new installation of pfSense, in a new test enviroment.

and (everybody) sorry for posting the same subject in another post, only after read more carefully i saw the problem is common to many others.

tks

DesmoDax · Nov 21, 2013, 9:49 AM

Hi all, my enviroment is a little different. In my conf I nat to a single address. Is a "one-way" configuration.

I never tested the configuration with the bi-nat. (nat of entire network)

I confirm that works fine, with nat on single addres, and a fortinet gateway on the other side.
I add that works fine with 2 phase2, with different source networks. This is needed to grant access also from openvpn roaming users.

Can I help you little more if you send the real configuration and the log with racoon in debug mode.

Bye

DavideDB