Project

General

Profile

Feature #1855

NAT before IPsec VPN

Added by Michele Di Maria about 9 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
09/08/2011
Due date:
% Done:

0%

Estimated time:

Description

I thought we already had a feature ticket open for IPsec+NAT in general but doesn't appear so.

History

#1 Updated by Michele Di Maria about 9 years ago

Thanks to FreeBSD 9 it should be now possible to NAT before the VPN in order to solve network overlapping.

Here http://www.undeadly.org/cgi?action=article&sid=20090127205841 there's an example where this feature has been implemented. According to the "Deconflicting networks example" it should be now possible to nat an entire network to a new one before the VPN encodes the traffic for the remote network.

If this works, it should be possible to add an option "Nat as" in the IPSec Phase 2 form where is asked the network (or the single ip address in case of outgoing nat).

#2 Updated by Chris Buechler about 9 years ago

  • Subject changed from Nat before IPsec VPN to NAT before IPsec VPN

#3 Updated by Chris Buechler about 9 years ago

The linked info is still OpenBSD-only I believe.

#4 Updated by Ermal Lu├ži about 9 years ago

#5 Updated by Chris Buechler over 8 years ago

  • Target version deleted (2.1)

#6 Updated by Jim Pingle almost 8 years ago

  • Status changed from New to Feedback
  • Target version set to 2.1

This has been done on 2.1 for a couple months now and confirmed to be working there.

#7 Updated by Chris Buechler over 7 years ago

  • Status changed from Feedback to Closed

works

#8 Updated by Michele Di Maria over 7 years ago

Hi, sorry for this later testing.
I have figured out how to test it without upgrading to 2.1 in my production environment, and I am using two pfSense (Office 2.0.2 and Home 2.1).

The first phase 2 (Local LAN to Remote LAN) has no problems.
The second phase 2 (Local LAN to Remote DMZ) on the remote side of the VPN (the Office) gets up with no problems.
On the local box, on SPD I see:
10.0.3.0/24 192.168.28.0/24 >> (correct)
192.168.22.0/24 10.0.3.0/24 << (not correct, the 192.168.22.0 should be translated to 192.168.28.0/24 according to the "In case you need NAT/..." setting for this phase2.

Am I mistaking something or there is something else I should add?

Thanks,
Michele

#9 Updated by Dalm Tian over 7 years ago

Hi!
I have a same problem as Michele Di Maria. - Please reopen a ticket.

#10 Updated by Jim Pingle over 7 years ago

This is tested and working in several production networks, there are no confirmed issues currently. Please post in the forum to ensure that you do not have a configuration issue. If a bug can be confirmed there, a new ticket can be opened.

Also available in: Atom PDF