NAT before IPSec

vononka

hello everybody,

I'm new to the forum and also new to pfSense.
I have 3 different network I notes Site A, Site B and Site C which is 2 Site A and B are under my responsibilities are connected using IPSec in pfSense (A (192.168.1.0/24 and B 192.168 .10.0/24.) Then I was given a configuration to communicate with Site C whose range is 192.168.1.0/24.
In short:

(192.168.1.0/24) Site <======pfSense ======> Site B (192.168.10.0/24) and site B <=== SSL VPN =====> Site C (192.168.1.0/24).

My question is if it is possible to establish a NAT before IPSec for communication from Site B to Site A since I have no hands on the firewall of the Site C.
It is noted that the Site A and C have the same address range (192.168.1.0/24) and are unable to change.
Do you have any documents or ideas?

vononka

timthetortoise

There's plenty of stuff to read if you Google the scenario. However, your best bet would be to change the range of the network you do have access to. You're going to run in to a whole lot of problems otherwise (for example, are you trying to talk to 192.168.1.5 on your local network or the remote site?).

MikeX

The easiest way to do this would be having Site C's admin NAT hit network through the SSL tunnel. That way both of your sites can point to the arbitrary address space you decide on.

The best way is to redesign your network, and get off of the 192.168.0.0 space all together, especially 192.168.1.0/24…. Everyone and their mother uses that /24 network.

Try to move to something in the 10.0.0.0/8 space... Lots of room there.

vononka

I'm googling a have to try a many many tutorial.So, have you a documentation to config how to NAT entire subnet and how to nat before IPSec in pfSense?

Thanks

dotdash

In 2.1, It's just a field in the phase2. You should be able to nat the connection from B to A easily.
eg-
site C phase2
local net 192.168.1.0/24
nat net 10.10.10.0/24
remote net 192.168.10.0/24

site B phase2
local net 192.168.10.0/24
remote net 10.10.10.0/24

vononka

Happy new years.

Thanks for your reply.

Site C is not a pfSense box and I've not access to this.
So, how can I configure the site A (pfSense v.2.1) and B (pfSense v 2.1) phase 2 in the IPSec configuration and how to nat the subnet 192.168.1.0/24 to 10.10.1.0/24 for example?

Please, help me.

Thanks a lot

vononka

Hello,

I just succeed configuring NAT before IPSec.
I can send you my setup if you want.
;)

Vononka

dotdash

I mislabeled site A as C in that explanation. Sorry. I guess you figured it out anyway.

tleiras

HiVononka,

I have the same problem im my office. Site A and site B have the same network address. Could you help me sending your configuration. I'm using 2.1 pfsense release.

Thanks in advance.

vononka

Hi,

1 - Create a virtual IP address on both firewall (192.168.1.0 for 10.10.1.0/24 and 10.10.10.0/24 to 192.168.10.0/24)
2 - Go to VPN> IPsec menu. After you have configured phase 1, create the negotiation phase2.
3- Restart racoon
4 - insert a route on the pc (eg route add-net 10.10.10.0/24 gw YOUR_GW)

Vononka

tleiras

Thanks a Lot.

I'll try this configuration.

Thanks.

tleiras

Hi Vononka,

Did you have to set 1:1 or Outbound Nat configuration?

When you send a package from Site A to Site B, what is the src ip when this package arrive at site B host?

I'm sorry for my english.

vononka

Hi,
No, but the subnet  192.168.1.0/24 is nated to 10.10.1.0/24 and 192.168.10.0/24 in 10.10.10/24.
the virtual IP and the subnet must have the same netmask.

Vononka

tleiras

Thanks a lot.
I'll try this configuration today. After all I'll send news.

Thanks.

tleiras

Hi,

I've tried setup configuration as sugested, but this didn't work  :'(.

My B side is a ipcop firewall and I tried establish vpn connection with site A using as remote address 172.16.24.0/24. On A site I configured Local Network wih 192.168.1.0/24 and Nat/BitNat with 172.16.24.0/24.

On B site, the vpn status is Ok, but on PfSense (Site A) the VPN connection is down, although there are logs registering connection established.

I'm attaching my actual configuration and log files on both sites. Does anyone has any idea why my Site A (192.168.1.0) package does not arrive at site B (10.1.1.0) with 172.168.24.0 address?

Thanks a lot for help me.

tleiras

What about your configuration between Site A and Site C? Did you establish connection?
In your original post you described that site A and Site C have the same CIDR. In this case did you have to Nat your Site A address to arive in site C with other network address?

I'm sorry for the inconvenience.

tleiras

Hello,

I succeed establish NAT before IPSec on Both sides.

I think the problem is with IPCOP. When I configure IPSEC VPN between 2 pfsenses (Site A 2.1 and site B 2.0.3), vpn works fine and all packages sent by site A arrives at Site B with 172.16.24.0 address. I'll check IPCOP documentation.

Thanks everyone for help me.

tleiras

Hello,

I succeed establish NAT before IPSec on Both sides without problem.  :D

The problem was on my IPCOP on Site B. My firewall established connection on SonicWall using Nat Over Ipsec.

Thanks everyone for help me.

shadokin

On your VIP you create, I assume you used a Localhost IP Alias?

dotdash

You shouldn't need to create VIPs or routes. You can set the NAT network directly in your phase2.