pfSense Support Subscription

Author Topic: IPsec & Firewall rules / NAT  (Read 2853 times)

0 Members and 1 Guest are viewing this topic.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 845
  • Karma: +0/-0
    • View Profile
IPsec & Firewall rules / NAT
« on: January 08, 2007, 06:38:29 am »
I experience troubles when trying to establish an IPsec connection between home with dynamic IP and the office with a static one.
Home is set up as mobile client with a Lan subnet of 192.168.2.0/24 and office has a static public IP with 192.168.100.0/24 as LAN subnet. Setup is from HOBA's tutorial still with 1200s lifetime for both phases and sides.

Just to make sure, please correct my ruleset if anything is wrong:

home:
NAT:  WAN        UDP     500     192.168.2.3 (ext.: )    500                 UDP 500 for IPsec
NAT:  WAN        ESP               192.168.2.3 (ext.: )                          ESP for IPsec
RULE: ESP         *        *         WAN address             *        *          NAT ESP for IPsec
RULE: UDP         *        *         WAN address             500     *          NAT UDP500 for IPsec

office:
NAT:  WAN        UDP     500     192.168.100.99 (ext.: )    500                 UDP 500 for IPsec
NAT:  WAN        ESP               192.168.100.99 (ext.: )                          ESP for IPsec
RULE: ESP         *        *         gateway                       *        *           NAT ESP for IPsec
RULE: UDP         *        *         gateway                       500     *           NAT UDP500 for IPsec

gateway is an alias for the pfSense LAN address (192.168.100.99) at office side.

Which entry is correct - ESP to WAN or LAN host (alias: gateway)?

Further on, I have no SAD or SPD on static side whereas I get an SPD entry on the dynamic side but no SAD since the tunnel is not up.
This might be ok.

On systemlogs|firewall tab at home I have racoon pares errors. These do not show up at office side...

Anyone?
Chris


Theoretically, theory and practis should be the same.
Practically they aren't.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 845
  • Karma: +0/-0
    • View Profile
Re: IPsec & Firewall rules / NAT
« Reply #1 on: January 08, 2007, 06:50:13 am »
Since there are so many views of this topic I post what finally worked for me and might help others.
Maybe Hoba adds it to his tutorial...

Quote

both sides:
RULE: AH          *        *         WAN address              *       *          AH for IPsec
RULE: ESP         *        *         WAN address              *       *          ESP for IPsec
RULE: UDP         *        *         WAN address              500     *          UDP500 for IPsec


If you use the settings from pfSense (which is ESP as Phase 2 protocol), you don't need the AH rule.

Do not use any NAT rules, this is not necessary and NAT-traversal (NAT-T) of IPsec is a task on its own.
This usually would require UDP4500 and other things I am not familiar with.
Have a look here:  http://en.wikipedia.org/wiki/NAT_traversal

« Last Edit: January 11, 2007, 01:47:39 pm by jahonix »
Chris


Theoretically, theory and practis should be the same.
Practically they aren't.