Discussion:
[pfSense] IPSec not routing traffic over tunnel
Roland Giesler
2018-02-08 16:16:17 UTC
Permalink
I'm trying to find a solution and know there are quite a few pfSense users
here, so here goes...

We've set up some IPSec tunnels and they connect. The Phase2 also "comes
up", but we can't reach the hosts specified in the Phase2 "remote network".

One instance (to keep it simpler):

WAN gateway: x.x.x.x (primary firewall interface)

Phase1:

Interface: Virtual IP a.a.a.a

Phase2:

Local address: address c.c.c.c
Local NAT translation: address a.a.a.a

Remote address: r.r.r.r (A public ip)

When phase1 and 2 are up and connected, I see no route for r.r.r.r in the
routing table.

Doing a traceroute from c.c.c.c, I get traffic leaving the network via
x.x.x.x, not via a.a.a.a. This could be because x.x.x.x is just a virtual
address though, or what?

In the firewall log I see:
Feb 8 18:07:40 ► IPsec
<https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%26ipproto%3Dinet&userId=977006&signature=20ffc7b51058b751>
a.a.a.a:57914
<https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0eb835d0bb60?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.111.178%26dst%3D196.201.107.67%26dstport%3D21410%26ipproto%3Dinet&userId=977006&signature=9606a76d3910d126>
r.r.r.r:12345 TCP:S
So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm not
getting any response from the remote.

What is going on here? Should there be a route to r.r.r.r in the routing
table or does pfSense hide some mechanics of the ports and routes from me?

Thanks

Roland
Eero Volotinen
2018-02-08 18:40:49 UTC
Permalink
how about not masking ip addresses?

do you really need nat in phase 2 ? why?

Eero
Post by Roland Giesler
I'm trying to find a solution and know there are quite a few pfSense users
here, so here goes...
We've set up some IPSec tunnels and they connect. The Phase2 also "comes
up", but we can't reach the hosts specified in the Phase2 "remote network".
WAN gateway: x.x.x.x (primary firewall interface)
Interface: Virtual IP a.a.a.a
Local address: address c.c.c.c
Local NAT translation: address a.a.a.a
Remote address: r.r.r.r (A public ip)
When phase1 and 2 are up and connected, I see no route for r.r.r.r in the
routing table.
Doing a traceroute from c.c.c.c, I get traffic leaving the network via
x.x.x.x, not via a.a.a.a. This could be because x.x.x.x is just a virtual
address though, or what?
Feb 8 18:07:40 ► IPsec
<https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8
ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%
3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%
26ipproto%3Dinet&userId=977006&signature=20ffc7b51058b751>
a.a.a.a:57914
<https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0e
b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%
3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.
111.178%26dst%3D196.201.107.67%26dstport%3D21410%26ipproto%3Dinet&userId=
977006&signature=9606a76d3910d126>
r.r.r.r:12345 TCP:S
So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm not
getting any response from the remote.
What is going on here? Should there be a route to r.r.r.r in the routing
table or does pfSense hide some mechanics of the ports and routes from me?
Thanks
Roland
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Roland Giesler
2018-02-08 19:42:32 UTC
Permalink
Post by Eero Volotinen
how about not masking ip addresses?
I'm not allowed to show the ip addresses (by my client), hence the
masking...

I thought I need NAT, but I also testing simply added the virtual ip,
a.a.a.a as the address, but it still doesn't work.
Post by Eero Volotinen
do you really need nat in phase 2 ? why?
I have servers in a farm all NAT'ed (ie they only have LAN addresses) and
use NAT to forward the desired traffic to them (ie HTTPS to a web server).

Now, it I want to establish an IPSec link that will allow a service
provider to push API calls to our server (with the NAT'ed address), I want
to give them a public address to talk to and them NAT that traffic to the
actual server. I understood that's the point of having NAT as an option in
phase2?

I don't see any other way to achieve that, not?
Post by Eero Volotinen
Eero
Post by Roland Giesler
I'm trying to find a solution and know there are quite a few pfSense
users
Post by Roland Giesler
here, so here goes...
We've set up some IPSec tunnels and they connect. The Phase2 also "comes
up", but we can't reach the hosts specified in the Phase2 "remote
network".
Post by Roland Giesler
WAN gateway: x.x.x.x (primary firewall interface)
Interface: Virtual IP a.a.a.a
Local address: address c.c.c.c
Local NAT translation: address a.a.a.a
Remote address: r.r.r.r (A public ip)
When phase1 and 2 are up and connected, I see no route for r.r.r.r in the
routing table.
Doing a traceroute from c.c.c.c, I get traffic leaving the network via
x.x.x.x, not via a.a.a.a. This could be because x.x.x.x is just a
virtual
Post by Roland Giesler
address though, or what?
Feb 8 18:07:40 ► IPsec
<https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8
<https://mailtrack.io/trace/link/892ace929998acda9ead81d80013dbe1b7ad28cf?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%2F3810b0b653bf2d2e2cba22508a65c8&userId=977006&signature=9d738053b0d33cb5>
Post by Roland Giesler
ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz
<https://mailtrack.io/trace/link/f83ddb7327a8f200d411500bbce4cd5593aa39f4?url=http%3A%2F%2F2Fin.gtst.xyz&userId=977006&signature=2a744f53ef768e7b>
%2Feasyrule.php%
Post by Roland Giesler
3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%
26ipproto%3Dinet&userId=977006&signature=20ffc7b51058b751>
a.a.a.a:57914
<https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0e
<https://mailtrack.io/trace/link/7695ee502d0c9ac5d0ed75c5577abeeec113a055?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%2F1a280d2835c7f522f38efd56201a0e&userId=977006&signature=571e99f7a2732a8f>
Post by Roland Giesler
b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz
<https://mailtrack.io/trace/link/c2904059b91634be72796e03b8ffb14066c9777e?url=http%3A%2F%2F2Fin.gtst.xyz&userId=977006&signature=cdc956157cdd5df3>
%2Feasyrule.php%
Post by Roland Giesler
3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.
111.178%26dst%3D196.201.107.67%26dstport%3D21410%
26ipproto%3Dinet&userId=
Post by Roland Giesler
977006&signature=9606a76d3910d126>
r.r.r.r:12345 TCP:S
So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm
not
Post by Roland Giesler
getting any response from the remote.
What is going on here? Should there be a route to r.r.r.r in the routing
table or does pfSense hide some mechanics of the ports and routes from
me?
Post by Roland Giesler
Thanks
Roland
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://mailtrack.io/trace/link/813c2da34aa99bf7f9eec9ae50b37e3bd68e70ff?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%2Flistinfo%2Flist&userId=977006&signature=18f942cb3843942b>
Post by Roland Giesler
Support the project with Gold! https://pfsense.org/gold
<https://mailtrack.io/trace/link/460987973799abd5c29871361dc34fd4bf737bb0?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=977006&signature=9b7e0fb022e1d4b3>
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://mailtrack.io/trace/link/0552102ab27c30e6e81901e0c9ebf8bd42b5d7c3?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%2Flistinfo%2Flist&userId=977006&signature=cf850d54e37d5986>
Support the project with Gold! https://pfsense.org/gold
<https://mailtrack.io/trace/link/a64fb335799a74808cd4b40672ab6334c841a087?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=977006&signature=6f1a46c71565950f>
Eero Volotinen
2018-02-08 21:51:56 UTC
Permalink
Well. Maybe You need to hire pfsense consultant with NDA, so you can unmask
needed information.

Usually there is no need to NAT in ipsec as you can tunnel private
network/ip address too and limit access with firewall rules.

Eero
Post by Roland Giesler
Post by Eero Volotinen
how about not masking ip addresses?
I'm not allowed to show the ip addresses (by my client), hence the
masking...
I thought I need NAT, but I also testing simply added the virtual ip,
a.a.a.a as the address, but it still doesn't work.
Post by Eero Volotinen
do you really need nat in phase 2 ? why?
I have servers in a farm all NAT'ed (ie they only have LAN addresses) and
use NAT to forward the desired traffic to them (ie HTTPS to a web server).
Now, it I want to establish an IPSec link that will allow a service
provider to push API calls to our server (with the NAT'ed address), I want
to give them a public address to talk to and them NAT that traffic to the
actual server. I understood that's the point of having NAT as an option in
phase2?
I don't see any other way to achieve that, not?
Post by Eero Volotinen
Eero
Post by Roland Giesler
I'm trying to find a solution and know there are quite a few pfSense
users
Post by Roland Giesler
here, so here goes...
We've set up some IPSec tunnels and they connect. The Phase2 also
"comes
Post by Eero Volotinen
Post by Roland Giesler
up", but we can't reach the hosts specified in the Phase2 "remote
network".
Post by Roland Giesler
WAN gateway: x.x.x.x (primary firewall interface)
Interface: Virtual IP a.a.a.a
Local address: address c.c.c.c
Local NAT translation: address a.a.a.a
Remote address: r.r.r.r (A public ip)
When phase1 and 2 are up and connected, I see no route for r.r.r.r in
the
Post by Eero Volotinen
Post by Roland Giesler
routing table.
Doing a traceroute from c.c.c.c, I get traffic leaving the network via
x.x.x.x, not via a.a.a.a. This could be because x.x.x.x is just a
virtual
Post by Roland Giesler
address though, or what?
Feb 8 18:07:40 ► IPsec
<https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8
<https://mailtrack.io/trace/link/892ace929998acda9ead81d80013db
e1b7ad28cf?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%
2F3810b0b653bf2d2e2cba22508a65c8&userId=977006&signature=9d738053b0d33cb5>
Post by Eero Volotinen
Post by Roland Giesler
ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz
<https://mailtrack.io/trace/link/f83ddb7327a8f200d411500bbce4cd
5593aa39f4?url=http%3A%2F%2F2Fin.gtst.xyz&userId=977006&
signature=2a744f53ef768e7b>
Post by Eero Volotinen
%2Feasyrule.php%
Post by Roland Giesler
3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%
26ipproto%3Dinet&userId=977006&signature=20ffc7b51058b751>
a.a.a.a:57914
<https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0e
<https://mailtrack.io/trace/link/7695ee502d0c9ac5d0ed75c5577abe
eec113a055?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%
2F1a280d2835c7f522f38efd56201a0e&userId=977006&signature=571e99f7a2732a8f>
Post by Eero Volotinen
Post by Roland Giesler
b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz
<https://mailtrack.io/trace/link/c2904059b91634be72796e03b8ffb1
4066c9777e?url=http%3A%2F%2F2Fin.gtst.xyz&userId=977006&
signature=cdc956157cdd5df3>
Post by Eero Volotinen
%2Feasyrule.php%
Post by Roland Giesler
3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.
111.178%26dst%3D196.201.107.67%26dstport%3D21410%
26ipproto%3Dinet&userId=
Post by Roland Giesler
977006&signature=9606a76d3910d126>
r.r.r.r:12345 TCP:S
So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm
not
Post by Roland Giesler
getting any response from the remote.
What is going on here? Should there be a route to r.r.r.r in the
routing
Post by Eero Volotinen
Post by Roland Giesler
table or does pfSense hide some mechanics of the ports and routes from
me?
Post by Roland Giesler
Thanks
Roland
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://mailtrack.io/trace/link/813c2da34aa99bf7f9eec9ae50b37e
3bd68e70ff?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%
2Flistinfo%2Flist&userId=977006&signature=18f942cb3843942b>
Post by Eero Volotinen
Post by Roland Giesler
Support the project with Gold! https://pfsense.org/gold
<https://mailtrack.io/trace/link/460987973799abd5c29871361dc34f
d4bf737bb0?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=977006&signature=
9b7e0fb022e1d4b3>
Post by Eero Volotinen
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://mailtrack.io/trace/link/0552102ab27c30e6e81901e0c9ebf8
bd42b5d7c3?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%
2Flistinfo%2Flist&userId=977006&signature=cf850d54e37d5986>
Post by Eero Volotinen
Support the project with Gold! https://pfsense.org/gold
<https://mailtrack.io/trace/link/a64fb335799a74808cd4b40672ab63
34c841a087?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=977006&signature=
6f1a46c71565950f>
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Roland Giesler
2018-02-09 11:42:44 UTC
Permalink
Ok, I'll try again with real (fake) addresses to make it better understood.

WAN gateway: 197.212.127.194 (primary firewall interface), next hop
gateway 197.212.127.193

Phase1:

Interface: Virtual IP 41.22.123.70

Phase2:

Local address: address 192.168.110.130
Local NAT translation: address 41.22.123.70

Remote address: 196.210.117.67 (A public ip)

When phase1 and 2 are up and connected, I see no route for 196.210.117.67
in the routing table.

Doing a traceroute from 192.168.110.130, I get traffic leaving the network
via 197.212.127.193, not via 41.22.123.70. This could be because
41.22.123.70 is just a virtual address though, or what? It may not be
meaningful after all.

In the firewall log I see:
Feb 8 18:07:40 ► IPsec
<https://in.gtst.xyz/easyrule.php?action=block&int=ipsec&src=41.75.111.178&ipproto=inet>
41.22.123.70:57914
<https://in.gtst.xyz/easyrule.php?action=pass&int=ipsec&proto=tcp&src=41.75.111.178&dst=196.201.107.67&dstport=21410&ipproto=inet>
196.210.117.67:12345 TCP:S
So traffic is being allowed via IPsec from 41.22.123.70 to 196.210.117.67,
but I'm not getting any response from the remote.

Is this wrong? If so, what is right? I cannot expose the LAN ip address
to the tunnel (192.168.110.130), I need to use the public IP...

thanks again
Post by Eero Volotinen
Well. Maybe You need to hire pfsense consultant with NDA, so you can unmask
needed information.
Usually there is no need to NAT in ipsec as you can tunnel private
network/ip address too and limit access with firewall rules.
Eero
Post by Roland Giesler
Post by Eero Volotinen
how about not masking ip addresses?
I'm not allowed to show the ip addresses (by my client), hence the
masking...
I thought I need NAT, but I also testing simply added the virtual ip,
a.a.a.a as the address, but it still doesn't work.
Post by Eero Volotinen
do you really need nat in phase 2 ? why?
I have servers in a farm all NAT'ed (ie they only have LAN addresses) and
use NAT to forward the desired traffic to them (ie HTTPS to a web
server).
Post by Roland Giesler
Now, it I want to establish an IPSec link that will allow a service
provider to push API calls to our server (with the NAT'ed address), I
want
Post by Roland Giesler
to give them a public address to talk to and them NAT that traffic to the
actual server. I understood that's the point of having NAT as an option
in
Post by Roland Giesler
phase2?
I don't see any other way to achieve that, not?
Post by Eero Volotinen
Eero
Post by Roland Giesler
I'm trying to find a solution and know there are quite a few pfSense
users
Post by Roland Giesler
here, so here goes...
We've set up some IPSec tunnels and they connect. The Phase2 also
"comes
Post by Eero Volotinen
Post by Roland Giesler
up", but we can't reach the hosts specified in the Phase2 "remote
network".
Post by Roland Giesler
WAN gateway: x.x.x.x (primary firewall interface)
Interface: Virtual IP a.a.a.a
Local address: address c.c.c.c
Local NAT translation: address a.a.a.a
Remote address: r.r.r.r (A public ip)
When phase1 and 2 are up and connected, I see no route for r.r.r.r in
the
Post by Eero Volotinen
Post by Roland Giesler
routing table.
Doing a traceroute from c.c.c.c, I get traffic leaving the network
via
Post by Roland Giesler
Post by Eero Volotinen
Post by Roland Giesler
x.x.x.x, not via a.a.a.a. This could be because x.x.x.x is just a
virtual
Post by Roland Giesler
address though, or what?
Feb 8 18:07:40 ► IPsec
<https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8
<https://mailtrack.io/trace/link/892ace929998acda9ead81d80013db
e1b7ad28cf?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%
2F3810b0b653bf2d2e2cba22508a65c8&userId=977006&signature=
9d738053b0d33cb5>
Post by Roland Giesler
Post by Eero Volotinen
Post by Roland Giesler
ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz
<https://mailtrack.io/trace/link/f83ddb7327a8f200d411500bbce4cd
5593aa39f4?url=http%3A%2F%2F2Fin.gtst.xyz&userId=977006&
signature=2a744f53ef768e7b>
Post by Eero Volotinen
%2Feasyrule.php%
Post by Roland Giesler
3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%
26ipproto%3Dinet&userId=977006&signature=20ffc7b51058b751>
a.a.a.a:57914
<https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0e
<https://mailtrack.io/trace/link/7695ee502d0c9ac5d0ed75c5577abe
eec113a055?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%
2F1a280d2835c7f522f38efd56201a0e&userId=977006&signature=
571e99f7a2732a8f>
Post by Roland Giesler
Post by Eero Volotinen
Post by Roland Giesler
b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz
<https://mailtrack.io/trace/link/c2904059b91634be72796e03b8ffb1
4066c9777e?url=http%3A%2F%2F2Fin.gtst.xyz&userId=977006&
signature=cdc956157cdd5df3>
Post by Eero Volotinen
%2Feasyrule.php%
Post by Roland Giesler
3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.
111.178%26dst%3D196.201.107.67%26dstport%3D21410%
26ipproto%3Dinet&userId=
Post by Roland Giesler
977006&signature=9606a76d3910d126>
r.r.r.r:12345 TCP:S
So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but
I'm
Post by Roland Giesler
Post by Eero Volotinen
not
Post by Roland Giesler
getting any response from the remote.
What is going on here? Should there be a route to r.r.r.r in the
routing
Post by Eero Volotinen
Post by Roland Giesler
table or does pfSense hide some mechanics of the ports and routes
from
Post by Roland Giesler
Post by Eero Volotinen
me?
Post by Roland Giesler
Thanks
Roland
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://mailtrack.io/trace/link/813c2da34aa99bf7f9eec9ae50b37e
3bd68e70ff?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%
2Flistinfo%2Flist&userId=977006&signature=18f942cb3843942b>
Post by Eero Volotinen
Post by Roland Giesler
Support the project with Gold! https://pfsense.org/gold
<https://mailtrack.io/trace/link/460987973799abd5c29871361dc34f
d4bf737bb0?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=977006&signature=
9b7e0fb022e1d4b3>
Post by Eero Volotinen
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://mailtrack.io/trace/link/0552102ab27c30e6e81901e0c9ebf8
bd42b5d7c3?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%
2Flistinfo%2Flist&userId=977006&signature=cf850d54e37d5986>
Post by Eero Volotinen
Support the project with Gold! https://pfsense.org/gold
<https://mailtrack.io/trace/link/a64fb335799a74808cd4b40672ab63
34c841a087?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=977006&signature=
6f1a46c71565950f>
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Eero Volotinen
2018-02-09 12:11:13 UTC
Permalink
I am sorry, but I cannot help.

You can get commercial support from NetGate.

--
Eero
Post by Roland Giesler
Ok, I'll try again with real (fake) addresses to make it better understood.
WAN gateway: 197.212.127.194 (primary firewall interface), next hop
gateway 197.212.127.193
Interface: Virtual IP 41.22.123.70
Local address: address 192.168.110.130
Local NAT translation: address 41.22.123.70
Remote address: 196.210.117.67 (A public ip)
When phase1 and 2 are up and connected, I see no route for 196.210.117.67
in the routing table.
Doing a traceroute from 192.168.110.130, I get traffic leaving the network
via 197.212.127.193, not via 41.22.123.70. This could be because
41.22.123.70 is just a virtual address though, or what? It may not be
meaningful after all.
Feb 8 18:07:40 ► IPsec
<https://in.gtst.xyz/easyrule.php?action=block&int=ipsec&
src=41.75.111.178&ipproto=inet>
41.22.123.70:57914
<https://in.gtst.xyz/easyrule.php?action=pass&int=ipsec&
proto=tcp&src=41.75.111.178&dst=196.201.107.67&dstport=21410&ipproto=inet>
196.210.117.67:12345 TCP:S
So traffic is being allowed via IPsec from 41.22.123.70 to 196.210.117.67,
but I'm not getting any response from the remote.
Is this wrong? If so, what is right? I cannot expose the LAN ip address
to the tunnel (192.168.110.130), I need to use the public IP...
thanks again
Post by Eero Volotinen
Well. Maybe You need to hire pfsense consultant with NDA, so you can
unmask
Post by Eero Volotinen
needed information.
Usually there is no need to NAT in ipsec as you can tunnel private
network/ip address too and limit access with firewall rules.
Eero
Post by Roland Giesler
Post by Eero Volotinen
how about not masking ip addresses?
I'm not allowed to show the ip addresses (by my client), hence the
masking...
I thought I need NAT, but I also testing simply added the virtual ip,
a.a.a.a as the address, but it still doesn't work.
Post by Eero Volotinen
do you really need nat in phase 2 ? why?
I have servers in a farm all NAT'ed (ie they only have LAN addresses)
and
Post by Eero Volotinen
Post by Roland Giesler
use NAT to forward the desired traffic to them (ie HTTPS to a web
server).
Post by Roland Giesler
Now, it I want to establish an IPSec link that will allow a service
provider to push API calls to our server (with the NAT'ed address), I
want
Post by Roland Giesler
to give them a public address to talk to and them NAT that traffic to
the
Post by Eero Volotinen
Post by Roland Giesler
actual server. I understood that's the point of having NAT as an
option
Post by Eero Volotinen
in
Post by Roland Giesler
phase2?
I don't see any other way to achieve that, not?
Post by Eero Volotinen
Eero
Post by Roland Giesler
I'm trying to find a solution and know there are quite a few
pfSense
Post by Eero Volotinen
Post by Roland Giesler
Post by Eero Volotinen
users
Post by Roland Giesler
here, so here goes...
We've set up some IPSec tunnels and they connect. The Phase2 also
"comes
Post by Eero Volotinen
Post by Roland Giesler
up", but we can't reach the hosts specified in the Phase2 "remote
network".
Post by Roland Giesler
WAN gateway: x.x.x.x (primary firewall interface)
Interface: Virtual IP a.a.a.a
Local address: address c.c.c.c
Local NAT translation: address a.a.a.a
Remote address: r.r.r.r (A public ip)
When phase1 and 2 are up and connected, I see no route for r.r.r.r
in
Post by Eero Volotinen
Post by Roland Giesler
the
Post by Eero Volotinen
Post by Roland Giesler
routing table.
Doing a traceroute from c.c.c.c, I get traffic leaving the network
via
Post by Roland Giesler
Post by Eero Volotinen
Post by Roland Giesler
x.x.x.x, not via a.a.a.a. This could be because x.x.x.x is just a
virtual
Post by Roland Giesler
address though, or what?
Feb 8 18:07:40 ► IPsec
<https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8
<https://mailtrack.io/trace/link/892ace929998acda9ead81d80013db
e1b7ad28cf?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%
2F3810b0b653bf2d2e2cba22508a65c8&userId=977006&signature=
9d738053b0d33cb5>
Post by Roland Giesler
Post by Eero Volotinen
Post by Roland Giesler
ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz
<https://mailtrack.io/trace/link/f83ddb7327a8f200d411500bbce4cd
5593aa39f4?url=http%3A%2F%2F2Fin.gtst.xyz&userId=977006&
signature=2a744f53ef768e7b>
Post by Eero Volotinen
%2Feasyrule.php%
Post by Roland Giesler
3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%
26ipproto%3Dinet&userId=977006&signature=20ffc7b51058b751>
a.a.a.a:57914
<https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0e
<https://mailtrack.io/trace/link/7695ee502d0c9ac5d0ed75c5577abe
eec113a055?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%
2F1a280d2835c7f522f38efd56201a0e&userId=977006&signature=
571e99f7a2732a8f>
Post by Roland Giesler
Post by Eero Volotinen
Post by Roland Giesler
b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz
<https://mailtrack.io/trace/link/c2904059b91634be72796e03b8ffb1
4066c9777e?url=http%3A%2F%2F2Fin.gtst.xyz&userId=977006&
signature=cdc956157cdd5df3>
Post by Eero Volotinen
%2Feasyrule.php%
Post by Roland Giesler
3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.
111.178%26dst%3D196.201.107.67%26dstport%3D21410%
26ipproto%3Dinet&userId=
Post by Roland Giesler
977006&signature=9606a76d3910d126>
r.r.r.r:12345 TCP:S
So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but
I'm
Post by Roland Giesler
Post by Eero Volotinen
not
Post by Roland Giesler
getting any response from the remote.
What is going on here? Should there be a route to r.r.r.r in the
routing
Post by Eero Volotinen
Post by Roland Giesler
table or does pfSense hide some mechanics of the ports and routes
from
Post by Roland Giesler
Post by Eero Volotinen
me?
Post by Roland Giesler
Thanks
Roland
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://mailtrack.io/trace/link/813c2da34aa99bf7f9eec9ae50b37e
3bd68e70ff?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%
2Flistinfo%2Flist&userId=977006&signature=18f942cb3843942b>
Post by Eero Volotinen
Post by Roland Giesler
Support the project with Gold! https://pfsense.org/gold
<https://mailtrack.io/trace/link/460987973799abd5c29871361dc34f
d4bf737bb0?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=
977006&signature=
Post by Eero Volotinen
Post by Roland Giesler
9b7e0fb022e1d4b3>
Post by Eero Volotinen
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://mailtrack.io/trace/link/0552102ab27c30e6e81901e0c9ebf8
bd42b5d7c3?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%
2Flistinfo%2Flist&userId=977006&signature=cf850d54e37d5986>
Post by Eero Volotinen
Support the project with Gold! https://pfsense.org/gold
<https://mailtrack.io/trace/link/a64fb335799a74808cd4b40672ab63
34c841a087?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=
977006&signature=
Post by Eero Volotinen
Post by Roland Giesler
6f1a46c71565950f>
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Mark Wiater
2018-02-09 13:25:06 UTC
Permalink
Post by Roland Giesler
Ok, I'll try again with real (fake) addresses to make it better understood.
WAN gateway: 197.212.127.194 (primary firewall interface), next hop
gateway 197.212.127.193
Interface: Virtual IP 41.22.123.70
Local address: address 192.168.110.130
Local NAT translation: address 41.22.123.70
Remote address: 196.210.117.67 (A public ip)
When phase1 and 2 are up and connected, I see no route for 196.210.117.67
in the routing table.
Doing a traceroute from 192.168.110.130, I get traffic leaving the network
via 197.212.127.193, not via 41.22.123.70. This could be because
41.22.123.70 is just a virtual address though, or what? It may not be
meaningful after all.
Feb 8 18:07:40 â–º IPsec
<https://in.gtst.xyz/easyrule.php?action=block&int=ipsec&src=41.75.111.178&ipproto=inet>
41.22.123.70:57914
<https://in.gtst.xyz/easyrule.php?action=pass&int=ipsec&proto=tcp&src=41.75.111.178&dst=196.201.107.67&dstport=21410&ipproto=inet>
196.210.117.67:12345 TCP:S
So traffic is being allowed via IPsec from 41.22.123.70 to 196.210.117.67,
but I'm not getting any response from the remote.
Is this wrong? If so, what is right? I cannot expose the LAN ip address
to the tunnel (192.168.110.130), I need to use the public IP...
thanks again
In my experience, one does not see routes in the routing table for IPSEC based routes.

IPSEC tunneling, I believe, happens before any NATting might. This might be why you're seeing your traffic exit the default gateway since it still possesses it's original ip addresses. I'm not sure what you are trying to achieve is possible on the same device, unless you do some kind of NAT on the incoming interface if that's possible.

Seeing actual configuration files might be helpful. So would the results of packet capture on both I{SEC interfaces.

Mark
Roland Giesler
2018-02-10 01:22:44 UTC
Permalink
The issue has been resolved. I was using ip addresses that were in my list
of virtual ip addresses as well. After removing them from the virtual list
it works like a charm!
Post by Mark Wiater
Post by Roland Giesler
Ok, I'll try again with real (fake) addresses to make it better understood.
WAN gateway: 197.212.127.194 (primary firewall interface), next hop
gateway 197.212.127.193
Interface: Virtual IP 41.22.123.70
Local address: address 192.168.110.130
Local NAT translation: address 41.22.123.70
Remote address: 196.210.117.67 (A public ip)
When phase1 and 2 are up and connected, I see no route for 196.210.117.67
in the routing table.
Doing a traceroute from 192.168.110.130, I get traffic leaving the network
via 197.212.127.193, not via 41.22.123.70. This could be because
41.22.123.70 is just a virtual address though, or what? It may not be
meaningful after all.
Feb 8 18:07:40 â–º IPsec
<https://in.gtst.xyz/easyrule.php?action=block&int=ipsec&src
=41.75.111.178&ipproto=inet
<https://mailtrack.io/trace/link/353296e0fd669efd7c862ce29e7663e1780f1647?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%26ipproto%3Dinet&userId=977006&signature=5461b84f49a7291f>
41.22.123.70:57914
<https://mailtrack.io/trace/link/c30452f14c6d4a5cb6e3e7c1a63370eb07785153?url=http%3A%2F%2F41.22.123.70%3A57914&userId=977006&signature=8723c0c4a107129a>
<https://in.gtst.xyz/easyrule.php?action=pass&int=ipsec&prot
o=tcp&src=41.75.111.178&dst=196.201.107.67&dstport=21410&ipproto=inet
<https://mailtrack.io/trace/link/b3482777c2a8a70cb4fede2b041835060fd0381d?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.111.178%26dst%3D196.201.107.67%26dstport%3D21410%26ipproto%3Dinet&userId=977006&signature=520d060d64cc065f>
196.210.117.67:12345
<https://mailtrack.io/trace/link/531caa74e94d70566fed457c0d5b0ce520dd711f?url=http%3A%2F%2F196.210.117.67%3A12345&userId=977006&signature=f252e0bea96656e6>
TCP:S
So traffic is being allowed via IPsec from 41.22.123.70 to 196.210.117.67,
but I'm not getting any response from the remote.
Is this wrong? If so, what is right? I cannot expose the LAN ip address
to the tunnel (192.168.110.130), I need to use the public IP...
thanks again
In my experience, one does not see routes in the routing table for IPSEC based routes.
IPSEC tunneling, I believe, happens before any NATting might. This might
be why you're seeing your traffic exit the default gateway since it still
possesses it's original ip addresses. I'm not sure what you are trying to
achieve is possible on the same device, unless you do some kind of NAT on
the incoming interface if that's possible.
Seeing actual configuration files might be helpful. So would the results
of packet capture on both I{SEC interfaces.
Mark
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
<https://mailtrack.io/trace/link/924383774a6f97a761e10b93c0572f23ddca274b?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%2Flistinfo%2Flist&userId=977006&signature=340f46c224de5ac2>
Support the project with Gold! https://pfsense.org/gold
<https://mailtrack.io/trace/link/cf3d3c2f2c3a9c57b52bf6dd18b4e32dfdfc0072?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=977006&signature=ff31344544dc636f>
Chris L
2018-02-10 09:11:06 UTC
Permalink
Post by Mark Wiater
Post by Roland Giesler
Ok, I'll try again with real (fake) addresses to make it better understood.
WAN gateway: 197.212.127.194 (primary firewall interface), next hop
gateway 197.212.127.193
Interface: Virtual IP 41.22.123.70
Local address: address 192.168.110.130
Local NAT translation: address 41.22.123.70
Remote address: 196.210.117.67 (A public ip)
When phase1 and 2 are up and connected, I see no route for 196.210.117.67
in the routing table.
Doing a traceroute from 192.168.110.130, I get traffic leaving the network
via 197.212.127.193, not via 41.22.123.70. This could be because
41.22.123.70 is just a virtual address though, or what? It may not be
meaningful after all.
Feb 8 18:07:40 â–º IPsec
<https://in.gtst.xyz/easyrule.php?action=block&int=ipsec&src=41.75.111.178&ipproto=inet>
41.22.123.70:57914
<https://in.gtst.xyz/easyrule.php?action=pass&int=ipsec&proto=tcp&src=41.75.111.178&dst=196.201.107.67&dstport=21410&ipproto=inet>
196.210.117.67:12345 TCP:S
So traffic is being allowed via IPsec from 41.22.123.70 to 196.210.117.67,
but I'm not getting any response from the remote.
Is this wrong? If so, what is right? I cannot expose the LAN ip address
to the tunnel (192.168.110.130), I need to use the public IP...
thanks again
In my experience, one does not see routes in the routing table for IPSEC based routes.
IPSEC tunneling, I believe, happens before any NATting might. This might be why you're seeing your traffic exit the default gateway since it still possesses it's original ip addresses. I'm not sure what you are trying to achieve is possible on the same device, unless you do some kind of NAT on the incoming interface if that's possible.
Seeing actual configuration files might be helpful. So would the results of packet capture on both I{SEC interfaces.
IPsec “routes” do not appear in the routing table. They are installed in the kernel as traffic selectors. Status > IPsec, SPDs.

If you are policy routing on the 192.168.110.130 interface you will need to bypass that with a pass rule to the other side (the Remote Network in the Phase 2) with no gateway set.
Roland Giesler
2018-02-12 09:50:11 UTC
Permalink
Post by Mark Wiater
Post by Mark Wiater
In my experience, one does not see routes in the routing table for IPSEC
based routes.
Post by Mark Wiater
IPSEC tunneling, I believe, happens before any NATting might. This might
be why you're seeing your traffic exit the default gateway since it still
possesses it's original ip addresses. I'm not sure what you are trying to
achieve is possible on the same device, unless you do some kind of NAT on
the incoming interface if that's possible.
Post by Mark Wiater
Seeing actual configuration files might be helpful. So would the results
of packet capture on both I{SEC interfaces.
IPsec “routes” do not appear in the routing table. They are installed in
the kernel as traffic selectors. Status > IPsec, SPDs.
h, I see them there now.
Post by Mark Wiater
If you are policy routing on the 192.168.110.130 interface you will need
to bypass that with a pass rule to the other side (the Remote Network in
the Phase 2) with no gateway set.
The pass rule, how do I set that with no gateway?
Post by Mark Wiater
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Continue reading on narkive:
Loading...