Todo #595
closed
Test IPsec with NAT
0%
Description
Ermal said that after looking at some code paths, IPsec may work with NAT now on 2.0, but needs some testing.
Files
Updated by Chris Buechler over 13 years ago
- Category set to IPsec
Ermal, how is this supposed to work? nat on enc0?
Updated by Erik Fonnesbeck over 13 years ago
If anyone wants to test it, go ahead and try adding rules on the IPsec interface - it is one of the available choices. Looking at the file, it seems to use enc0 when you assign a rule to IPsec.
Updated by Larry Titus over 13 years ago
- File NAT_over_IPSec.png NAT_over_IPSec.png added
Much to my surprise, it works!
Updated by Larry Titus over 13 years ago
Larry Titus wrote:
Much to my surprise, it works!
States Table
Proto Source > Router -> Destination State 192.168.0.10:56535 ESTABLISHED:ESTABLISHED
tcp 192.168.100.49:22 <
tcp 192.168.0.10:56535 -> 192.168.0.2:51118 -> 192.168.100.49:22 ESTABLISHED:ESTABLISHED
Updated by Chris Buechler over 13 years ago
within the same subnet, that's good. The tricky part is what if it's a completely different subnet, such as the case where there are conflicting subnets and you have to NAT before hitting IPsec processing.
Updated by Erik Fonnesbeck over 13 years ago
I don't think that is something that you can currently resolve with PF on any type of site-to-site VPN connection.
Updated by Erik Fonnesbeck over 13 years ago
Actually, I suppose it just needs the NAT on both sides of the VPN.
Updated by Scott Ullrich over 13 years ago
- Target version changed from 2.0 to 2.1
Updated by Fabien Allaine about 13 years ago
- File VPN_NAT_and_pfSense.pdf VPN_NAT_and_pfSense.pdf added
Here my test case for qualifying pfSense for VPN and NAT.
Hope It'll help before pfSense 2.1.
(works great under XenServer or VMware ESXi)
Updated by Chris Buechler over 12 years ago
- Status changed from New to Closed
- Target version changed from 2.1 to 2.0
what's mentioned in this ticket works, there are other caveats with IPsec and NAT