[SOLVED] IPSec NAT not working

[Kofl]

Hello,

we are struggling with the setup of IPSec NAT although I did it based on the documentation. So far the IPSec tunnel works fine:

Source Network: 192.168.16.0/24
Destination Network: 10.17.0.0/16

Now we also have to tunnel the source network 10.51.18.0/24 over that VPN connection.

Manual SPD entries: 10.51.18.0/24 for phase 2

Firewall: NAT: One-to-One
External network: 192.168.16.0/24
Source: 10.51.18.0/24
Destination: 10.17.0.0/16

But the packets are not translated, tcpdump shows:

IP 10.51.18.90 > 10.17.3.2: ICMP echo request

Any hint on what we are missing?

Thanks,
Thomas

[mimugmail]

On Nat try Destination net /24 and try to ping an IP with 0.X

Perhaps a bug when netmask are different

[Kofl]

Thanks,

unfortunately same result:

Destination: 10.17.0.0/24

> ping 10.17.0.2

10.51.18.90 > 10.17.0.2: ICMP echo request

[mimugmail]

Destination Peer is IP or Fqdn in P1?

[Kofl]

Its IP

[Kofl]

rules.debug also looks fine:

Code Select Expand


binat on enc0 from 10.51.18.0/24 to 10.17.0.0/24 -> 192.168.16.0/24


Makes also no difference if I try NAT instead of BINAT

Code Select Expand


nat on enc0 from 10.51.18.0/24 to 10.17.0.0/24 -> 192.168.16.0/24


[Kofl]

Solved,

https://doc.pfsense.org/index.php/NAT_with_IPsec_Phase_2_Networks:

In a packet capture, the actual address will be shown on outbound traffic, not the translated address. This does not indicate any problem.

As soon as the admin of the other site allowed the traffic, everything went fine:

Code Select Expand


14:31:26.676550 (authentic,confidential): SPI 0xbdb31e3b: IP 10.51.18.90 > 10.17.3.2: ICMP echo request, id 1, seq 873, length 40
14:31:26.712898 (authentic,confidential): SPI 0xcb1e1127: IP 10.17.3.2 > 192.168.16.90: ICMP echo reply, id 1, seq 873, length 40


Thanks @mimugmail