• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help with NAT+IPsec on 2.1

Scheduled Pinned Locked Moved IPsec
6 Posts 3 Posters 1.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    DesmoDax
    last edited by Oct 29, 2013, 7:55 AM

    Hi all, I have a problem with NAT before IpSec… using 2.1.
    I'm trying to NAT to a single address, but if i tcpdump on enc0 I see the packet coming from not-natted address. Maybe I have to define the NAT address in Virtual IPs or something else that i forgot?

    The tunnel goes UP correctly but there is something in phase2/nat that doesnt work like expected.

    I try to explain scenario:
    My pfSense box: 192.168.72.254 (CARP ADDRESS)

    192.168.72.x -> pfSense2.1-with-tunnel-ipsec -> nat to 192.168.201.209 -> send throught tunnel -> reach network 192.168.33.x

    The remote endpoint only accept packets from 192.168.201.209

    If I use tcpdump, i see that address is not translated like this:
    --> 08:29:35.981852 (authentic,confidential): SPI 0x0d5e5937: IP 192.168.72.5 > 192.168.33.70: ICMP echo request, id 1874, seq 1, length 64

    If I look on nat table I see the correct rule:
    --> nat on enc0 inet from 192.168.72.0/24 to 192.168.33.0/24 -> 192.168.201.209

    Last info... I'm using CARP in LAN and in WAN interfaces

    Any ideas?

    1 Reply Last reply Reply Quote 0
    • D
      DesmoDax
      last edited by Oct 30, 2013, 8:52 PM

      –UPDATE--

      Ok, the configuration is correct and now is working correctly.

      The only thing that's is fuorviating is the tcpdump result. The remote endpoint see the correct natted ip, but tcpdump on enc0 shows the not-natted ip.

      1 Reply Last reply Reply Quote 0
      • D
        dottorkame
        last edited by Nov 7, 2013, 3:38 PM

        Hi, can you say me how it's your configuration?

        I'm having some troubles.
        I have a IPsec VPN working correctly, now i've to create two IPsec VPN with outbound NAT, but it doesn't work. I'm going mad!

        My configuration is:

        Pfsense 2.1 with public IP on WAN interface

        LAN interface with 192.168.16.0/23 that I've to nat with 172.16.106.0/23 network

        I've tryed to put this network in the phase 2 configuration and in the outbound NAT rules, but I alway get the same error in phase2 Can you please help me?

        1 Reply Last reply Reply Quote 0
        • D
          dottorkame
          last edited by Nov 7, 2013, 3:40 PM

          I also put 172.16.106.1 as the IP alias on the LAN's firewall IP

          1 Reply Last reply Reply Quote 0
          • J
            jleandro
            last edited by Nov 8, 2013, 12:47 AM

            dottorkame

            I did the same, without success…

            Unfortunately I need to solve my problem (for while) with a linux box making a NAT before the pfSense LAN interface.
            So, I'll try a new installation of pfSense, in a new test enviroment.

            and (everybody) sorry for posting the same subject in another post, only after read more carefully i saw the problem is common to many others.

            tks

            jleandro.
            –---------

            1 Reply Last reply Reply Quote 0
            • D
              DesmoDax
              last edited by Nov 21, 2013, 9:49 AM

              Hi all, my enviroment is a little different. In my conf I nat to a single address. Is a "one-way" configuration.

              I never tested the configuration with the bi-nat. (nat of entire network)

              I confirm that works fine, with nat on single addres, and a fortinet gateway on the other side.
              I add that works fine with 2 phase2, with different source networks. This is needed to grant access also from openvpn roaming users.

              Can I help you little more if you send the real configuration and the log with racoon in debug mode.

              Bye

              DavideDB

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                [[user:consent.lead]]
                [[user:consent.not_received]]