Project

General

Profile

Actions

Todo #595

closed

Test IPsec with NAT

Added by Jim Pingle over 11 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
05/13/2010
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

Ermal said that after looking at some code paths, IPsec may work with NAT now on 2.0, but needs some testing.


Files

NAT_over_IPSec.png (195 KB) NAT_over_IPSec.png Larry Titus, 08/25/2010 03:38 PM
VPN_NAT_and_pfSense.pdf (623 KB) VPN_NAT_and_pfSense.pdf Fabien Allaine, 02/07/2011 10:59 AM
Actions #1

Updated by Chris Buechler over 11 years ago

  • Category set to IPsec

Ermal, how is this supposed to work? nat on enc0?

Actions #2

Updated by Erik Fonnesbeck over 11 years ago

If anyone wants to test it, go ahead and try adding rules on the IPsec interface - it is one of the available choices. Looking at the file, it seems to use enc0 when you assign a rule to IPsec.

Actions #3

Updated by Larry Titus over 11 years ago

Much to my surprise, it works!

Actions #4

Updated by Larry Titus over 11 years ago

Larry Titus wrote:

Much to my surprise, it works!

States Table
Proto Source > Router -> Destination State
tcp 192.168.100.49:22 <
192.168.0.10:56535 ESTABLISHED:ESTABLISHED
tcp 192.168.0.10:56535 -> 192.168.0.2:51118 -> 192.168.100.49:22 ESTABLISHED:ESTABLISHED

Actions #5

Updated by Chris Buechler over 11 years ago

within the same subnet, that's good. The tricky part is what if it's a completely different subnet, such as the case where there are conflicting subnets and you have to NAT before hitting IPsec processing.

Actions #6

Updated by Erik Fonnesbeck over 11 years ago

I don't think that is something that you can currently resolve with PF on any type of site-to-site VPN connection.

Actions #7

Updated by Erik Fonnesbeck over 11 years ago

Actually, I suppose it just needs the NAT on both sides of the VPN.

Actions #8

Updated by Scott Ullrich about 11 years ago

  • Target version changed from 2.0 to 2.1
Actions #9

Updated by Fabien Allaine almost 11 years ago

Here my test case for qualifying pfSense for VPN and NAT.
Hope It'll help before pfSense 2.1.
(works great under XenServer or VMware ESXi)

Actions #10

Updated by Chris Buechler about 10 years ago

  • Status changed from New to Closed
  • Target version changed from 2.1 to 2.0

what's mentioned in this ticket works, there are other caveats with IPsec and NAT

Actions

Also available in: Atom PDF