Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Control P2 local network proposal with nat before ipsec config

    IPsec
    1
    1
    373
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      histriosum last edited by

      Hey gang..

      I just upgraded from 2.1.5 to 2.2 and I've been going through some IPSec pain ever since..

      I am connecting to a SonicWALL IPSec endpoint (unsure of the model number) and need to nat my private network to a specific 10.x netblock prior to IPSec.

      The endpoint is expecting my local network on P2 to be 10.2.63.0/29.  I have my P2 config'd in pfSense as such:
        - Local Network:  type Net, address 10.0.0.0/8 (I need addresses in 10.1 and 10.2 to be nat'd for me)
        - NAT network:  type Net, address 10.2.63.0/29 (this is what I need it nat'd to prior to IPSec)

      This works as expected, except that the SonicWALL is rejecting my P2 proposals.  Eventually it responds with one of its own, and it gets accepted and works for a while (until it needs to rekey), but any P2 proposal being sent from pfSense is not accepted.

      The combo of the above config generates the following in ipsec.conf:
              leftsubnet = 10.2.63.0/29|10.0.0.0/8

      Is there any way to control the generation of this file so that it only includes the NAT network from the config, i.e. only 10.2.63.0/29?  I'm assuming that the sonicwall is seeing 10.0.0.0/8 and rejecting based on that.

      Or alternately, is there a better way to generate the NAT pf rule on the enc0 interface than to use the above configuration methodology?

      Thanks!

      Joe

      1 Reply Last reply Reply Quote 0
      • First post
        Last post