Control P2 local network proposal with nat before ipsec config


  • Hey gang..

    I just upgraded from 2.1.5 to 2.2 and I've been going through some IPSec pain ever since..

    I am connecting to a SonicWALL IPSec endpoint (unsure of the model number) and need to nat my private network to a specific 10.x netblock prior to IPSec.

    The endpoint is expecting my local network on P2 to be 10.2.63.0/29.  I have my P2 config'd in pfSense as such:
      - Local Network:  type Net, address 10.0.0.0/8 (I need addresses in 10.1 and 10.2 to be nat'd for me)
      - NAT network:  type Net, address 10.2.63.0/29 (this is what I need it nat'd to prior to IPSec)

    This works as expected, except that the SonicWALL is rejecting my P2 proposals.  Eventually it responds with one of its own, and it gets accepted and works for a while (until it needs to rekey), but any P2 proposal being sent from pfSense is not accepted.

    The combo of the above config generates the following in ipsec.conf:
            leftsubnet = 10.2.63.0/29|10.0.0.0/8

    Is there any way to control the generation of this file so that it only includes the NAT network from the config, i.e. only 10.2.63.0/29?  I'm assuming that the sonicwall is seeing 10.0.0.0/8 and rejecting based on that.

    Or alternately, is there a better way to generate the NAT pf rule on the enc0 interface than to use the above configuration methodology?

    Thanks!

    Joe