• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Control P2 local network proposal with nat before ipsec config

Scheduled Pinned Locked Moved IPsec
1 Posts 1 Posters 501 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    histriosum
    last edited by Feb 3, 2015, 8:37 PM

    Hey gang..

    I just upgraded from 2.1.5 to 2.2 and I've been going through some IPSec pain ever since..

    I am connecting to a SonicWALL IPSec endpoint (unsure of the model number) and need to nat my private network to a specific 10.x netblock prior to IPSec.

    The endpoint is expecting my local network on P2 to be 10.2.63.0/29.  I have my P2 config'd in pfSense as such:
      - Local Network:  type Net, address 10.0.0.0/8 (I need addresses in 10.1 and 10.2 to be nat'd for me)
      - NAT network:  type Net, address 10.2.63.0/29 (this is what I need it nat'd to prior to IPSec)

    This works as expected, except that the SonicWALL is rejecting my P2 proposals.  Eventually it responds with one of its own, and it gets accepted and works for a while (until it needs to rekey), but any P2 proposal being sent from pfSense is not accepted.

    The combo of the above config generates the following in ipsec.conf:
            leftsubnet = 10.2.63.0/29|10.0.0.0/8

    Is there any way to control the generation of this file so that it only includes the NAT network from the config, i.e. only 10.2.63.0/29?  I'm assuming that the sonicwall is seeing 10.0.0.0/8 and rejecting based on that.

    Or alternately, is there a better way to generate the NAT pf rule on the enc0 interface than to use the above configuration methodology?

    Thanks!

    Joe

    1 Reply Last reply Reply Quote 0
    1 out of 1
    • First post
      1/1
      Last post
    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
      This community forum collects and processes your personal information.
      consent.not_received