Todo #595
closed
Added by Jim Pingle over 14 years ago.
Updated about 13 years ago.
Description
Ermal said that after looking at some code paths, IPsec may work with NAT now on 2.0, but needs some testing.
Files
Ermal, how is this supposed to work? nat on enc0?
If anyone wants to test it, go ahead and try adding rules on the IPsec interface - it is one of the available choices. Looking at the file, it seems to use enc0 when you assign a rule to IPsec.
Much to my surprise, it works!
Larry Titus wrote:
Much to my surprise, it works!
States Table
Proto Source > Router -> Destination State
tcp 192.168.100.49:22 < 192.168.0.10:56535 ESTABLISHED:ESTABLISHED
tcp 192.168.0.10:56535 -> 192.168.0.2:51118 -> 192.168.100.49:22 ESTABLISHED:ESTABLISHED
within the same subnet, that's good. The tricky part is what if it's a completely different subnet, such as the case where there are conflicting subnets and you have to NAT before hitting IPsec processing.
I don't think that is something that you can currently resolve with PF on any type of site-to-site VPN connection.
Actually, I suppose it just needs the NAT on both sides of the VPN.
- Target version changed from 2.0 to 2.1
Here my test case for qualifying pfSense for VPN and NAT.
Hope It'll help before pfSense 2.1.
(works great under XenServer or VMware ESXi)
- Status changed from New to Closed
- Target version changed from 2.1 to 2.0
what's mentioned in this ticket works, there are other caveats with IPsec and NAT
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 