Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» IPsec» IPsec & Firewall rules / NAT
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: IPsec & Firewall rules / NAT  (Read 2249 times)
0 Members and 1 Guest are viewing this topic.
jahonix
Hero Member
*****
Offline Offline

Posts: 829



View Profile
« on: January 08, 2007, 07:38:29 am »
I experience troubles when trying to establish an IPsec connection between home with dynamic IP and the office with a static one.
Home is set up as mobile client with a Lan subnet of 192.168.2.0/24 and office has a static public IP with 192.168.100.0/24 as LAN subnet. Setup is from HOBA's tutorial still with 1200s lifetime for both phases and sides.

Just to make sure, please correct my ruleset if anything is wrong:

home:
NAT:  WAN        UDP     500     192.168.2.3 (ext.: )    500                 UDP 500 for IPsec
NAT:  WAN        ESP               192.168.2.3 (ext.: )                          ESP for IPsec
RULE: ESP         *        *         WAN address             *        *          NAT ESP for IPsec
RULE: UDP         *        *         WAN address             500     *          NAT UDP500 for IPsec

office:
NAT:  WAN        UDP     500     192.168.100.99 (ext.: )    500                 UDP 500 for IPsec
NAT:  WAN        ESP               192.168.100.99 (ext.: )                          ESP for IPsec
RULE: ESP         *        *         gateway                       *        *           NAT ESP for IPsec
RULE: UDP         *        *         gateway                       500     *           NAT UDP500 for IPsec

gateway is an alias for the pfSense LAN address (192.168.100.99) at office side.

Which entry is correct - ESP to WAN or LAN host (alias: gateway)?

Further on, I have no SAD or SPD on static side whereas I get an SPD entry on the dynamic side but no SAD since the tunnel is not up.
This might be ok.

On systemlogs|firewall tab at home I have racoon pares errors. These do not show up at office side...

Anyone?
Logged
Chris

Theoretically, theory and practis should be the same.
Practically they aren't.
jahonix
Hero Member
*****
Offline Offline

Posts: 829



View Profile
« Reply #1 on: January 08, 2007, 07:50:13 am »
Since there are so many views of this topic I post what finally worked for me and might help others.
Maybe Hoba adds it to his tutorial...

Quote

both sides:
RULE: AH          *        *         WAN address              *       *          AH for IPsec
RULE: ESP         *        *         WAN address              *       *          ESP for IPsec
RULE: UDP         *        *         WAN address              500     *          UDP500 for IPsec


If you use the settings from pfSense (which is ESP as Phase 2 protocol), you don't need the AH rule.

Do not use any NAT rules, this is not necessary and NAT-traversal (NAT-T) of IPsec is a task on its own.
This usually would require UDP4500 and other things I am not familiar with.
Have a look here:  http://en.wikipedia.org/wiki/NAT_traversal
« Last Edit: January 11, 2007, 02:47:39 pm by jahonix » Logged
Chris

Theoretically, theory and practis should be the same.
Practically they aren't.
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Page created in 0.031 seconds with 19 queries.