next »

[adsys.in]

hello,
I have big problem. I'm new in using pfsense 2.0

I need to connect do my SAP HR hosting partner. His requirements:

Lan subnet where is hosted SAP HR is: 172.10.5.0/24, and they are forceing me to use as my local subnet: 172.10.8.0/28
Problem is, I;m using different local subnet: 192.168.0.0/24

I cannot make translation from 192.168.0.0/24 to 172.10.8.0/28 (hosting partner accept tunel ONLY between 172.10.5.0/24 <-> 172.10.8.0/28)

What to do ?  How to configure pfsense (NAT, VIP,  etc. etc. ) 

Tunnel is making over IPSec between my public IP (pfsense) and their (cisco).

[torino]

hi,

The tunnel will be established between 172.10.5.0/24 <-> 172.10.8.0/28. So
packets can be send through the tunnel with destination ip 172.10.8.0/28 from your
SAP partner.

By using 1:1 NAT, it should be possible to translate the destination ip into your ip-range.
And also the way back by translating the source-IP.
Problem could be the different subnet-size...

[adsys.in]

But how to configure NAT 1:1 ?
I cannot send any packets

[torino]

hi !

i would try to configure 1:1 NAT:

Firewall > NAT > 1:1
Interface: IPSec
External IP: 172.10.8.0
Internal IP: 192.168.0.0

reason: packets from you SAP provider has destination IP 172.10.8.0/28. This should be switched to
192.168.0.0/28 network and also vise versa. problem could be the different subnet-length.

thats what i suggest, but i am also new in this area and i am fighting also with NAT and ARP Proxy ...

[jimp]

You cannot do NAT+IPsec in that way. It doesn't work.

The traffic will never enter the tunnel because it doesn't match the phase 2 on the tunnel, and NAT won't apply because it never gets into the tunnel.

IIRC there are other issues there as well, but it's a known issue that is fairly well documented.

[torino]

hmm. yes, the traffic should fit with phase 2.

packets which are coming from the provider (out of the tunnel) has

Dest-IP: 178.10.8.0/24
Source-IP: 172.10.5.0/24

(.... this fits with phase 2.)

after 1:1 NAT (dest) in pfsense, we have

Dest-IP: 192.168.0.0/24
Source-IP: 172.10.5.0/24
..... (Destination IP changed)

this packet should reach the destination-host.
the reply from the host has

Dest-IP: 172.10.5.0/24
Source-IP: 192.168.0.0/24

after 1:1 NAT (source) in pfsense we have for the tunnel

Dest-IP: 172.10.5.0/24
Source-IP: 172.10.8.0/24

...this fits again with phase 2


please let me know what is wrong ....

[adsys.in]

for example, tarceroute to 172.10.5.1, from host in subnet 192.168.0.0 shows trace to default gateway and internet and nowhere
not to ipsce tunnel, via 172.10.8.0 to 172.10.5.0 at least

[torino]

you have to consider, that the IP addresses fits with Phase2 configuration of ipsec,
before you send the packet to the tunnel.
Phase2 is established with 178.10.8.0/24 and 172.10.5.0/24. only these addresses accepted
by the vpn. but you want to send a packet with 192.168.0.0 and 172.10.5.0/24

[dhatz]

On the subject of NAT before IPsec VPN (not supported in pfsense 2.0), you can also read http://redmine.pfsense.org/issues/1855