Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.3 IPSEC with public network as P2 Remote Network: ok from router, not from LAN

    IPsec
    3
    8
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swix
      last edited by

      Bonjour, hello,

      I have some "Simple" IPv4 tunnels (IKEv1) to customers here, 3 are already running.  Our LAN: 192.168.1.0/24, WAN IP address 80.254.x.y.

      Already working tunnels are having a Phase 2 setup similar to:

      • Local network: LAN Subnet - NAT/BINAT:  Type Network, Address 192.168.10.0/24
      • Remote Network:  Type Network , Address 10.116.0.0/16

      I now have to add a new tunnel, but this time and for the first time the Remote Network Address is using public IP ranges.  Current phase 2 setup:

      • Local Network:  WAN Subnet - no NAT/BINAT
      • Remote Network:  Type Network, Address 159.16x.y.z/30

      IPSEC connection status for Phase 1 and Phase 2 are fine, everything works as planed when testing from the router itself (when connected via ssh to the pfsense system, I can ping one remote target IP as 159.16x.y.7).  But the only issue is that I cannot access the target range 159.16x.y.z/30 from our LAN (192.168.1.0/24).

      I tried changing the phase 2 settings, but with anything else the tunnel will not work.    And if I set "LAN subnet" as NAT/BINAT network, it seems to be ignored and will not be saved.
      I also thought about adding a static route, but it's not possible to select a tunnel as a gateway.
      So how could I route these packets to 159.16x.y.z/30 over the tunnel instead as directly over our gateway ?

      Any hint would be very welcome as I am not very experienced with ipsec topics.  Merci & kind regards, Olivier

      1 Reply Last reply Reply Quote 0
      • S
        swix
        last edited by

        I just updated our router to 2.3.1, and everything remained the same (which was to be expected).
        I tried a few other things, but no luck yet, even when using our WAN IP as /32 network under "Local Network:"  it doesn't work anymore, only when "Local Network:  WAN Subnet " is set I can access the remote servers, and only from the router's shell.

        I guess some more research is needed…  In the mean time, please do not hesitate to give any input or suggestion, thanks !

        1 Reply Last reply Reply Quote 0
        • S
          swix
          last edited by

          No solution found yet, I will request a private range and try again.      But I'd still be happy to know if there is another way to solve this :)

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            That's the expected result, your LAN hosts aren't sourcing traffic on your public IPs, and you don't have NAT defined in the P2. Just need NAT in the P2 for that to work.

            1 Reply Last reply Reply Quote 0
            • S
              swix
              last edited by

              Oh great, an answer ! Thanks for your time cmb.

              "Just need NAT in the P2" is definitely what I'd like to get, but setting "LAN subnet" under "NAT/BINNAT translation" does not have any effect (gets saved, but if I edit the entry again the field is empty : cf. screenshot).

              Is this a GUI-issue, or is there another way to achieve this?

              v3.jpg
              v3.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • S
                swix
                last edited by

                Spent some more time on the forum & searching…    "Static routes are not possible with IPSEC" came up a few times, but I still hope there is a way.

                I just miss my IPSEC remote gateways under System / Routing / Static Routes / Edit, or should I try with 127.0.0.1 as Gateway ?  I can't try it now (working remotely and no way to fix things if it brings everything offline), but if it is the way to go, I could give it a try tomorrow.

                ![Capture d’écran 2016-07-04 à 22.09.02.png](/public/imported_attachments/1/Capture d’écran 2016-07-04 à 22.09.02.png)
                ![Capture d’écran 2016-07-04 à 22.09.02.png_thumb](/public/imported_attachments/1/Capture d’écran 2016-07-04 à 22.09.02.png_thumb)

                1 Reply Last reply Reply Quote 0
                • S
                  swix
                  last edited by

                  As a final followup, remote party updated their setup to let us use NAT translation like we usually do, and it's now working fine with:

                  • Local Network:  LAN Subnet
                  • NAT/BINAT Translation: Network  192.168.18x.0/24
                  • Remote Network: 10.22x.0.0/16

                  It would still be interesting to know if and how it would have been possible to solve the initial issue (public network as target), but at least case is closed for now.
                  Kind regards

                  pfsense20160822.jpg
                  pfsense20160822.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • N
                    network1
                    last edited by

                    Hi Swix,

                    Thought i'd post as i was doing the exact same thing. I got mine working so it can happen.

                    Not sure on your setup we have a routed subnet going to dual pfsense with CARP.

                    For the purposes of below we are using the following, also note we are not using NAT at all.

                    Public /29 P1.x.x.x (CARP P1.x.x.3
                    Routed Subnet to above P2.x.x.x /25

                    Example IP on a server would be P2.1.1.1

                    The tunnel would look like below.

                    Phase 1 - Peer ID = CARP IP P1.x.x.3
                    Phase 2 - Local = P2.1.1.1/32
                    Phase 2 - Remote network = 192.168.10.0/24

                    Remote site would be configured as below

                    Phase 1 - remote gateway = P1.x.x.3
                    Phase 2 - Local = 192.168.10.0/24
                    Phase 2 - Remote network = P2.1.1.1/32

                    So we have the entire /24 subnet able to connect to the public IP via the VPN.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.