pfSense Support Subscription

Author Topic: NAT Before VPN  (Read 6858 times)

0 Members and 1 Guest are viewing this topic.

Offline mdima

  • Sr. Member
  • ****
  • Posts: 384
    • View Profile
NAT Before VPN
« on: July 04, 2011, 11:01:14 am »
Hello,
I was getting into this request some month ago, and as I see it's a recurring request... also not only from me but from other users as well... so I propose that all the people who need this can merge this bounty and have it developed...

The purpose of this bounty is to NAT before a VPN (actually, I need only IPSec VPNs, but I try to be more generic in order to catch more subscribers to this bounty).
What I see is that it would be VERY useful if the local IPs of the VPN would be natted before the VPN, in order to show to the other part of the VPN the natted addresses. The final goal is to solve the problem of network overlapping that may happen in many occasions.

As from what I was talking with the pfSense staff, since this looks something huge to develope, the only way to get this feature is asking to the pfSense support. So now come two questions:
- To the pfSense support: Can you make a quotation of working hours to make this work?
- To the other people in the forum: Who can take part of the bounty? How much are you willing to invest on this?

Thanks,
Michele

Offline kapara

  • Sr. Member
  • ****
  • Posts: 504
    • View Profile
Re: NAT Before VPN
« Reply #1 on: September 07, 2011, 03:11:29 pm »
I have been asking for this feature for several years now and the bounty just doe not seem to be high enough.  You may be better off investing in a VPN appliance like a Cisco VPN Concentrator or other vpn concentrator appliance since this would only be required at your main location.  This is the route I ended up taking and was cheaper and more affective in the long run.  Cisco VPN Concentrators are cheap since they are end of life but you can probably find something for less than $1500.00 which has support.
Skype ID:  Marinhd

Offline mdima

  • Sr. Member
  • ****
  • Posts: 384
    • View Profile
Re: NAT Before VPN
« Reply #2 on: September 07, 2011, 04:10:26 pm »
I have been asking for this feature for several years now and the bounty just doe not seem to be high enough.  You may be better off investing in a VPN appliance like a Cisco VPN Concentrator or other vpn concentrator appliance since this would only be required at your main location.  This is the route I ended up taking and was cheaper and more affective in the long run.  Cisco VPN Concentrators are cheap since they are end of life but you can probably find something for less than $1500.00 which has support.

actually, I would like to remove all the 3 PIX I have in this moment and leave only pfSense, which is already my "main firewall"...
I was googling a little bit today, and I found this:
http://www.undeadly.org/cgi?action=article&sid=20090127205841
I don't know if this can be applied to pfSense, but looks like the solution...

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
    • View Profile
Re: NAT Before VPN
« Reply #3 on: September 07, 2011, 07:14:41 pm »
The reason why NAT for IPsec tunnels wasn't supported was because it was a limitation of FreeBSD pf.

However, the change of OpenBSD pf code to allow NAT'ed IPsec VPNs was committed in Jan-2009, OpenBSD 4.5 was released in May-2009 (http://www.openbsd.org/45.html) and in a recent blog post (http://blog.pfsense.org/?p=592) we learned that FreeBSD 9 pf was updated to 4.5, through the work of Ermal and others.

Therefore, since pfSense v2.1 (http://redmine.pfsense.org/projects/pfsense/versions/5) will be based on FreeBSD 9, it seems that the NAT-IPsec feature will finally be doable in pfSense v2.1  :)


Offline mdima

  • Sr. Member
  • ****
  • Posts: 384
    • View Profile
Re: NAT Before VPN
« Reply #4 on: September 07, 2011, 11:58:02 pm »
Therefore, since pfSense v2.1 (http://redmine.pfsense.org/projects/pfsense/versions/5) will be based on FreeBSD 9, it seems that the NAT-IPsec feature will finally be doable in pfSense v2.1  :)

THIS IS A GREAT NEWS!
Yes, I knew there was a limitation of FreeBSD for this, I didn't know that on v2.1 this limitation has been solved!
Actually, there is a workaround for that (http://redmine.pfsense.org/issues/595), but it's really messing up the configuration, it's an "expensive workaround"...
You know what? I am going to cancel this bounty and add a feature request for version 2.1... if the syntax I've read on that link is applicable on pfSense 2.1, I think a nice option "Nat before VPN" with a dropdown list with the available ips will be the best way to realize this feature...

Thanks a lot,
Michele

Offline mdima

  • Sr. Member
  • ****
  • Posts: 384
    • View Profile
Re: NAT Before VPN
« Reply #5 on: September 08, 2011, 12:27:05 am »
PS: for reference, I added this: http://redmine.pfsense.org/issues/1855 in redmine... let's see what the others think about that!

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3357
    • View Profile
Re: NAT Before VPN
« Reply #6 on: September 08, 2011, 02:08:38 am »
It is not a feature of pf 4.5 its a hack done on openbsd ipsec stack to allow this to happen.
Though there are ways to implement this, by no means its just an upgrade to pf 4.5

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
    • View Profile
Re: NAT Before VPN
« Reply #7 on: September 08, 2011, 11:02:00 am »
Ermal is correct, it was indeed a patch to OpenBSD ipsec code, it's not related with pf 4.5.

Offline mdima

  • Sr. Member
  • ****
  • Posts: 384
    • View Profile
Re: NAT Before VPN
« Reply #8 on: September 08, 2011, 01:24:45 pm »
Ermal is correct, it was indeed a patch to OpenBSD ipsec code, it's not related with pf 4.5.

ops... ok, was a nice try... sorry guys if I wasted your time, I really thought it could be applied to FreeBSD also...