Project

General

Profile

Actions

Feature #1855

closed

NAT before IPsec VPN

Added by Michele Di Maria over 13 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
09/08/2011
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

I thought we already had a feature ticket open for IPsec+NAT in general but doesn't appear so.

Actions #1

Updated by Michele Di Maria over 13 years ago

Thanks to FreeBSD 9 it should be now possible to NAT before the VPN in order to solve network overlapping.

Here http://www.undeadly.org/cgi?action=article&sid=20090127205841 there's an example where this feature has been implemented. According to the "Deconflicting networks example" it should be now possible to nat an entire network to a new one before the VPN encodes the traffic for the remote network.

If this works, it should be possible to add an option "Nat as" in the IPSec Phase 2 form where is asked the network (or the single ip address in case of outgoing nat).

Actions #2

Updated by Chris Buechler over 13 years ago

  • Subject changed from Nat before IPsec VPN to NAT before IPsec VPN
Actions #3

Updated by Chris Buechler over 13 years ago

The linked info is still OpenBSD-only I believe.

Actions #4

Updated by Ermal Luçi over 13 years ago

Actions #5

Updated by Chris Buechler over 12 years ago

  • Target version deleted (2.1)
Actions #6

Updated by Jim Pingle almost 12 years ago

  • Status changed from New to Feedback
  • Target version set to 2.1

This has been done on 2.1 for a couple months now and confirmed to be working there.

Actions #7

Updated by Chris Buechler almost 12 years ago

  • Status changed from Feedback to Closed

works

Actions #8

Updated by Michele Di Maria almost 12 years ago

Hi, sorry for this later testing.
I have figured out how to test it without upgrading to 2.1 in my production environment, and I am using two pfSense (Office 2.0.2 and Home 2.1).

The first phase 2 (Local LAN to Remote LAN) has no problems.
The second phase 2 (Local LAN to Remote DMZ) on the remote side of the VPN (the Office) gets up with no problems.
On the local box, on SPD I see:
10.0.3.0/24 192.168.28.0/24 >> (correct)
192.168.22.0/24 10.0.3.0/24 << (not correct, the 192.168.22.0 should be translated to 192.168.28.0/24 according to the "In case you need NAT/..." setting for this phase2.

Am I mistaking something or there is something else I should add?

Thanks,
Michele

Actions #9

Updated by Dalm Tian over 11 years ago

Hi!
I have a same problem as Michele Di Maria. - Please reopen a ticket.

Actions #10

Updated by Jim Pingle over 11 years ago

This is tested and working in several production networks, there are no confirmed issues currently. Please post in the forum to ensure that you do not have a configuration issue. If a bug can be confirmed there, a new ticket can be opened.

Actions

Also available in: Atom PDF