Control P2 local network proposal with nat before ipsec config

IPsec
Log in to reply
  • H

    Hey gang..

    I just upgraded from 2.1.5 to 2.2 and I've been going through some IPSec pain ever since..

    I am connecting to a SonicWALL IPSec endpoint (unsure of the model number) and need to nat my private network to a specific 10.x netblock prior to IPSec.

    The endpoint is expecting my local network on P2 to be 10.2.63.0/29.  I have my P2 config'd in pfSense as such:
      - Local Network:  type Net, address 10.0.0.0/8 (I need addresses in 10.1 and 10.2 to be nat'd for me)
      - NAT network:  type Net, address 10.2.63.0/29 (this is what I need it nat'd to prior to IPSec)

    This works as expected, except that the SonicWALL is rejecting my P2 proposals.  Eventually it responds with one of its own, and it gets accepted and works for a while (until it needs to rekey), but any P2 proposal being sent from pfSense is not accepted.

    The combo of the above config generates the following in ipsec.conf:
            leftsubnet = 10.2.63.0/29|10.0.0.0/8

    Is there any way to control the generation of this file so that it only includes the NAT network from the config, i.e. only 10.2.63.0/29?  I'm assuming that the sonicwall is seeing 10.0.0.0/8 and rejecting based on that.

    Or alternately, is there a better way to generate the NAT pf rule on the enc0 interface than to use the above configuration methodology?

    Thanks!

    Joe

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy