GRE over IPSEC in transport mode and NAT

  • I have a setup with 2 pfsense boxes with a GRE tunnel over the internet. I use ipsec in transport mode to encrypt the tunnel. This all works fine, all traffic to local networks is routed trough the GRE tunnel and encrypted.

    LAN 1<–---> pfsense1 <------internet/gre tunnel----->pfsense2<----->LAN2

    I have one problem, when i try to ping the public ip of pfsense2 from LAN1 i get no response. I have captured the packets on pfsense2 and it looks like it does not encrypt the natted traffic from LAN1. The same happens with traffic from LAN2 to the public ip of pfsense1

    If i ping pfsense2 from pfsense1 (console) it works fine.

    Iḿ running pfsense 2.1.5 amd64

  • Just tested with the latest 2.2 beta with the same result. When using ipsec in transport mode it does to envrypt traffic from the local lan that is natted.

  • You have to create the nat rule yourself for ipsec.

  • I have a static port nat rule in place, but this does not seem to help. Do i need to create a specific rule when using ipsec in transport mode? I have a rule in place on the WAN interface for the LAN network.

Log in to reply