IPsec with NAT not routing?



  • Hi,
    I'm having problems getting IPSec and NAT working.

    1. I'm able to set up the IPSec configuration properly, and it is activated and working (green status arrow and no errors in log)
      (I'm not using NAT/BINAT in Phase 2 setup since the VPn should only be used for accessing hosts on the other side, but not affect my outgoing internet traffic)

    2. My client asks me to NAT on my side to 10.148.20.96/27, so I've set up Manual Outbound NAT under "Firewall: NAT: Outbound"
      WAN    192.168.2.0/24  *  10.0.0.0/8  500  10.148.20.96/27  *  YES
      WAN    192.168.2.0/24  *  10.0.0.0/8  *    10.148.20.96/27  *  NO

    3. I've also created a Rule on the IPsec interface:
      IPv4 *  *  *  *  *  *  none

    4. Now, when I ping some host on the other side from a host on my LAN, I use tcpdump on my pfsense fw to check:
      tcpdump -i em0 -n ( esp or host 10.132.7.90 )

    All I see are the NATed outbound packets, but I see no ESP packets, or replies:
    13:13:12.150962 IP 10.148.20.97 > 10.132.7.90: ICMP echo request, id 9233, seq 1064, length 40
    13:13:28.967099 IP 10.148.20.97 > 10.132.7.90: ICMP echo request, id 9233, seq 1065, length 40
    13:13:33.783531 IP 10.148.20.97 > 10.132.7.90: ICMP echo request, id 9233, seq 1066, length 40

    5. To me this indicates that pfsense is not routing the NATed traffic over IPSec, but instead sends the packets out on the WAN "as is".

    What is wrong with my setup?
    All other posts says NOT to create any static routes etc.

    Thanks in advance for any help!!!
    Dan


  • Rebel Alliance Developer Netgate

    NAT and IPsec can't work together in that way.

    To do NAT and IPsec you must be on pfSense 2.1. There, in the Phase 2 settings, just under your local network options you have a choice for the IP/subnet to use for NAT in IPsec.



  • Ok, thanks for the hint!
    Will give that a try (I'm on 2.1), but have follow-up question:

    This would be the setup then for Phase 2:
      Local Network  LAN subnet (192.168.2.0)
      Nat/Binat 10.148.20.96/27 (the

    But I read in some other post it's important they have equal netmask.
    So do I have to set local network to, e.g. 192.168.2.128/27 ?

    Also, do I need to keep the rule under Ipsec to allow all?

    Regards,
    Dan


  • Rebel Alliance Developer Netgate

    Subnet should be the same size, or the NAT bit can be a single IP address if you only need to reach them and not the other way around.

    Firewall rules would only affect inbound traffic, same NAT handling there as on WAN rules – destination IPs are after NAT, so your private IPs would be used in the destination.



  • Ok, so I tried that (both single IP and subnet /27) but to no avail. There's an error reported during phase 2: "ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks]"

    Current phase2 setup:
      Local network: 10.148.20.96 / 27
      Nat/Binat: Host 192.168.3.128  (or Network 192.168.3.128 / 27, error is the same)
      Remote network: 10.0.0.0 / 8

    Here's the log:
    Nov 27 11:59:52 racoon: DEBUG: succeed.
    Nov 27 11:59:52 racoon: DEBUG: received IDci2:
    Nov 27 11:59:52 racoon: DEBUG: 04000000 0a000000 ff000000
    Nov 27 11:59:52 racoon: DEBUG: received IDcr2:
    Nov 27 11:59:52 racoon: DEBUG: 04000000 0a941460 ffffffe0
    Nov 27 11:59:52 racoon: DEBUG: HASH(1) validate:
    Nov 27 11:59:52 racoon: DEBUG: 04ae8321 e20f4283 5d8b264c 7107a79d 06e9e914
    Nov 27 11:59:52 racoon: DEBUG: HASH with:
    Nov 27 11:59:52 racoon: DEBUG: 7bf5558f 0a00003c 00000001 00000001 00000030 01030401 e63475ab 00000024 010c0000 80010001 00020004 00007080 80040001 80050002 80030002 80060100 04000024 11ba596c 835afbbd c07c6e1f bb2ecf6c 5ea2d887 381b315b 386e6c4e ac08d3ba 05000084 c604bf15 9b3f8a1e 4037a9b9 973f7d8d c6aaa292 c75af894 ff8b280c 994f7401 72efe5eb b4219d7c 7a108809 2dc4712d a0078909 68e2aafd b2447846 21267142 61583393 724dcdcf c9041242 24dc64e1 1d6ccc2e 12ed7926 c8c90ff7 23a29db3 5bbf4cc2 25425559 f3a0484c 238459e1 233dbaf6 3a1ef20e 545489fb 290bd509 05000010 04000000 0a000000 ff000000 00000010 04000000 0a941460 ffffffe0
    Nov 27 11:59:52 racoon: DEBUG: hmac(hmac_sha1)
    Nov 27 11:59:52 racoon: DEBUG: HASH computed:
    Nov 27 11:59:52 racoon: DEBUG: 04ae8321 e20f4283 5d8b264c 7107a79d 06e9e914
    Nov 27 11:59:52 racoon: DEBUG: getsainfo params: loc='10.148.20.96/27' rmt='10.0.0.0/8' peer='A.B.C.D' client='A.B.C.D' id=1
    Nov 27 11:59:52 racoon: DEBUG: evaluating sainfo: loc='10.148.20.96/27'(nat='192.168.3.128/27'), rmt='10.0.0.0/8', peer='ANY', id=1
    Nov 27 11:59:52 racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
    Nov 27 11:59:52 racoon: DEBUG: cmpid target: '10.148.20.96/27'
    Nov 27 11:59:52 racoon: DEBUG: cmpid source: '10.148.20.96/27'
    Nov 27 11:59:52 racoon: DEBUG: check and compare ids : values matched (IPv4_subnet)
    Nov 27 11:59:52 racoon: DEBUG: cmpid target: '10.0.0.0/8'
    Nov 27 11:59:52 racoon: DEBUG: cmpid source: '10.0.0.0/8'
    Nov 27 11:59:52 racoon: DEBUG: selected sainfo: loc='10.148.20.96/27'(nat='192.168.3.128/27'), rmt='10.0.0.0/8', peer='ANY', id=1
    Nov 27 11:59:52 racoon: DEBUG: Either family (2 - 2), types (4 - 0) of ID from initiator differ or matching sainfo has no id_i defined for the peer. Not filling iph2->sa_src and iph2->sa_dst.
    Nov 27 11:59:52 racoon: DEBUG: get src address from ID payload 10.0.0.0[0] prefixlen=8 ul_proto=255
    Nov 27 11:59:52 racoon: DEBUG: get dst address from ID payload 10.148.20.96[0] prefixlen=27 ul_proto=255
    Nov 27 11:59:52 racoon: DEBUG: sub:0xbfbfe4f0: 10.0.0.0/8[0] 10.148.20.96/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501648: 192.168.2.1/32[0] 192.168.2.0/24[0] proto=any dir=out
    Nov 27 11:59:52 racoon: DEBUG: sub:0xbfbfe4f0: 10.0.0.0/8[0] 10.148.20.96/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: [Unknown Gateway/Dynamic]: DEBUG: db: 0x28501648: 192.168.2.1/32[0] 192.168.2.0/24[0] proto=any dir=out
    Nov 27 11:59:52 racoon: DEBUG: sub:0xbfbfe4f0: 10.0.0.0/8[0] 10.148.20.96/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501288: 192.168.2.0/24[0] 192.168.2.1/32[0] proto=any dir=in
    Nov 27 11:59:52 racoon: DEBUG: sub:0xbfbfe4f0: 10.0.0.0/8[0] 10.148.20.96/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: [Unknown Gateway/Dynamic]: DEBUG: db: 0x28501288: 192.168.2.0/24[0] 192.168.2.1/32[0] proto=any dir=in
    Nov 27 11:59:52 racoon: DEBUG: 0xbfbfe4f0 masked with /24: 10.0.0.0[0]
    Nov 27 11:59:52 racoon: DEBUG: 0x28501288 masked with /24: 192.168.2.0[0]
    Nov 27 11:59:52 racoon: DEBUG: sub:0xbfbfe4f0: 10.0.0.0/8[0] 10.148.20.96/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x28501788: 10.148.20.96/27[0] 10.0.0.0/8[0] proto=any dir=out
    Nov 27 11:59:52 racoon: DEBUG: sub:0xbfbfe4f0: 10.0.0.0/8[0] 10.148.20.96/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: [Unknown Gateway/Dynamic]: DEBUG: db: 0x28501788: 10.148.20.96/27[0] 10.0.0.0/8[0] proto=any dir=out
    Nov 27 11:59:52 racoon: DEBUG: sub:0xbfbfe4f0: 10.0.0.0/8[0] 10.148.20.96/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: DEBUG: db :0x285013c8: 10.0.0.0/8[0] 192.168.3.128/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: DEBUG: sub:0xbfbfe4f0: 10.0.0.0/8[0] 10.148.20.96/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: DEBUG: db: 0x285013c8: 10.0.0.0/8[0] 192.168.3.128/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: DEBUG: 0xbfbfe4f0 masked with /8: 10.0.0.0[0]
    Nov 27 11:59:52 racoon: DEBUG: 0x285013c8 masked with /8: 10.0.0.0[0]
    Nov 27 11:59:52 racoon: DEBUG: 0xbfbfe4f0 masked with /27: 10.148.20.96[0]
    Nov 27 11:59:52 racoon: DEBUG: 0x285013c8 masked with /27: 192.168.3.128[0]
    Nov 27 11:59:52 racoon: ERROR: no policy found: 10.0.0.0/8[0] 10.148.20.96/27[0] proto=any dir=in
    Nov 27 11:59:52 racoon: ERROR: failed to get proposal for responder.
    Nov 27 11:59:52 racoon: [Client External Address]: [A.B.C.D] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Nov 27 11:59:52 racoon: DEBUG: IV freed

    Any ideas?

    Cheers,
    /Dan



  • Just an update:

    I managed to get the Phase2 settings correct, (tunnel is up and happy) but the NAT/BINAT doesn't seem to work.

    I wanted my internal subnet 192.168.2.x NAT to 10.148.20.96 / 27 and use the IPSec tunnel for accessing 10.x.x.x on the clients side. No NAT is taking place, and packets go out on the WAN instead of being NATed and sent through the IPSec tunnel :( So either I'm doing something wrong (most probably) or pfSense is not doing the NAT properly.

    So, in the end I had to revert to setting up the (so far) unused opt2 network, using the subnet required by my client, configure DHCP to only give out addresses in this subnet range, connect a Wifi Acess Point, and connect the computers which need access to the VPN to this Wifi AP (while still using cable for normal LAN+Internet), and finally setting up static routes on the computers for accessing the 10.x.x.x VPN over the Opt2 interface.

    Really a shame having to complicate things like this, when it would have been so much more convenient using the NAT capabilities of pfSense. If anybody has any idea of what I did wrong, you're welcome to share  ;)

    Cheers,
    Dan