pfSense Support Subscription

Author Topic: IPsec & Firewall rules / NAT  (Read 4248 times)

0 Members and 1 Guest are viewing this topic.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2361
  • Karma: +138/-14
  • volunteer since 2006
    • View Profile
IPsec & Firewall rules / NAT
« on: January 08, 2007, 06:38:29 am »
I experience troubles when trying to establish an IPsec connection between home with dynamic IP and the office with a static one.
Home is set up as mobile client with a Lan subnet of 192.168.2.0/24 and office has a static public IP with 192.168.100.0/24 as LAN subnet. Setup is from HOBA's tutorial still with 1200s lifetime for both phases and sides.

Just to make sure, please correct my ruleset if anything is wrong:

home:
NAT:  WAN        UDP     500     192.168.2.3 (ext.: )    500                 UDP 500 for IPsec
NAT:  WAN        ESP               192.168.2.3 (ext.: )                          ESP for IPsec
RULE: ESP         *        *         WAN address             *        *          NAT ESP for IPsec
RULE: UDP         *        *         WAN address             500     *          NAT UDP500 for IPsec

office:
NAT:  WAN        UDP     500     192.168.100.99 (ext.: )    500                 UDP 500 for IPsec
NAT:  WAN        ESP               192.168.100.99 (ext.: )                          ESP for IPsec
RULE: ESP         *        *         gateway                       *        *           NAT ESP for IPsec
RULE: UDP         *        *         gateway                       500     *           NAT UDP500 for IPsec

gateway is an alias for the pfSense LAN address (192.168.100.99) at office side.

Which entry is correct - ESP to WAN or LAN host (alias: gateway)?

Further on, I have no SAD or SPD on static side whereas I get an SPD entry on the dynamic side but no SAD since the tunnel is not up.
This might be ok.

On systemlogs|firewall tab at home I have racoon pares errors. These do not show up at office side...

Anyone?
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2361
  • Karma: +138/-14
  • volunteer since 2006
    • View Profile
Re: IPsec & Firewall rules / NAT
« Reply #1 on: January 08, 2007, 06:50:13 am »
Since there are so many views of this topic I post what finally worked for me and might help others.
Maybe Hoba adds it to his tutorial...

Quote

both sides:
RULE: AH          *        *         WAN address              *       *          AH for IPsec
RULE: ESP         *        *         WAN address              *       *          ESP for IPsec
RULE: UDP         *        *         WAN address              500     *          UDP500 for IPsec


If you use the settings from pfSense (which is ESP as Phase 2 protocol), you don't need the AH rule.

Do not use any NAT rules, this is not necessary and NAT-traversal (NAT-T) of IPsec is a task on its own.
This usually would require UDP4500 and other things I am not familiar with.
Have a look here:  http://en.wikipedia.org/wiki/NAT_traversal

« Last Edit: January 11, 2007, 01:47:39 pm by jahonix »
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.