Bug #7639
closedNAT does not work between OpenVPN and IPsec tunnels
0%
Description
Hello,
NAT rules don't get correctly triggered with packets being routed from OpenVPN remote clients to IPsec tunnels.
- Interface LAN: 10.42.2.1/16
- Interface ADSL: 192.168.197.2/30 (behind NAT)
- IPsec Phase 1 to remote host with Phase 2 from LAN subnet to 192.168.40.124/32
- OpenVPN remote access server, subnet topology with addresses 10.43.0.0/16
- Outbound NAT rule on the IPsec interface with 10.43.0.0/16 source and 192.168.40.124/32 as destination, translating to the virtual LAN IP address 10.42.1.11 that I configured on the appropriate page
When OpenVPN clients try to communicate with 192.168.40.124 the firewall logs one of the automatic ADSL rules being triggered. This results in the packets getting dropped.
I noticed this in pre-production, but I also reproduced it in virtual machines a few weeks ago (I'm sorry, I cannot share the virtual machine images because of company policy -- I can help you reproduce the scenario if you need).
I suspect pfSense may be getting confused because NAT on IPsec interfaces is (apparently) handled differently than NAT on other interfaces. As it is apparent, using the IPsec NAT configuration options is not enough for this use case.
Updated by Jim Pingle over 5 years ago
- Status changed from New to Not a Bug
NAT for IPsec must be done using P2 NAT entries not NAT rules.