Project

General

Profile

Todo #595

Test IPsec with NAT

Added by Jim Pingle about 9 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
05/13/2010
Due date:
% Done:

0%

Estimated time:

Description

Ermal said that after looking at some code paths, IPsec may work with NAT now on 2.0, but needs some testing.

NAT_over_IPSec.png (195 KB) NAT_over_IPSec.png Larry Titus, 08/25/2010 03:38 PM
VPN_NAT_and_pfSense.pdf (623 KB) VPN_NAT_and_pfSense.pdf Fabien Allaine, 02/07/2011 10:59 AM

History

#1 Updated by Chris Buechler almost 9 years ago

  • Category set to IPsec

Ermal, how is this supposed to work? nat on enc0?

#2 Updated by Erik Fonnesbeck almost 9 years ago

If anyone wants to test it, go ahead and try adding rules on the IPsec interface - it is one of the available choices. Looking at the file, it seems to use enc0 when you assign a rule to IPsec.

#3 Updated by Larry Titus almost 9 years ago

Much to my surprise, it works!

#4 Updated by Larry Titus almost 9 years ago

Larry Titus wrote:

Much to my surprise, it works!

States Table
Proto Source > Router -> Destination State
tcp 192.168.100.49:22 <
192.168.0.10:56535 ESTABLISHED:ESTABLISHED
tcp 192.168.0.10:56535 -> 192.168.0.2:51118 -> 192.168.100.49:22 ESTABLISHED:ESTABLISHED

#5 Updated by Chris Buechler almost 9 years ago

within the same subnet, that's good. The tricky part is what if it's a completely different subnet, such as the case where there are conflicting subnets and you have to NAT before hitting IPsec processing.

#6 Updated by Erik Fonnesbeck almost 9 years ago

I don't think that is something that you can currently resolve with PF on any type of site-to-site VPN connection.

#7 Updated by Erik Fonnesbeck almost 9 years ago

Actually, I suppose it just needs the NAT on both sides of the VPN.

#8 Updated by Scott Ullrich over 8 years ago

  • Target version changed from 2.0 to 2.1

#9 Updated by Fabien Allaine over 8 years ago

Here my test case for qualifying pfSense for VPN and NAT.
Hope It'll help before pfSense 2.1.
(works great under XenServer or VMware ESXi)

#10 Updated by Chris Buechler almost 8 years ago

  • Status changed from New to Closed
  • Target version changed from 2.1 to 2.0

what's mentioned in this ticket works, there are other caveats with IPsec and NAT

Also available in: Atom PDF