IPSEC NAT USING V2.1 - SOLVED!



  • I've seen other posts about this but each is just different enough from my situation so the solution does not work.

    The remote network can not address our internal network so I need to NAT. 
    Phase one is no problem and appears to comes up.  I've had NAT enabled and disabled in the Phase 1 config and it doesn't seem to make a difference. DPD is enabled.

    My internal address is 192.168.5.5/32
    The remote internal address is at 10.10.150.150/32
    The remote can connect only to 10.170.170.170/32.

    I setup Phase 2 to be:
    Local Network: Address: 192.168.5.5
    Local Network: Nat/BiNAT: Address: 10.170.170.170
    Remote Network: Address: 10.10.150.150
    Auto ping host: 10.10.150.150

    When they ping me, The log shows one SA connection.  The connection shows Yellow in the Status list. 
    When I ping them the log shows: "ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange". It reports that error 3 times then reports: "ERROR: x.x.x.x (their external addr) give up to get IPsec-SA due to time up to wait."

    I have over 40 other IPSEC connections live on this pfSense, none using NAT, and none giving any problems.
    The IPSEC rule is wide open.
    I have made no changes to Rules or any NAT table entries for this NATed connection.  Do I need to?

    Does anyone have a suggestion?

    THE PROBLEM WAS THE REMOTE SIDE HAD FAILED TO CONFIGURE THEIR TUNNEL TO THE AGREED UPON SPECS.  ONCE THAT WAS FIXED THE TUNNEL CAME RIGHT UP.  THE CONFIGURATION SHOWN ABOVE SEEMS TO WORK PERFECTLY!


Log in to reply