pfSense Support Subscription

Author Topic: need to connect via different subnet over IPSec VPN  (Read 2922 times)

0 Members and 1 Guest are viewing this topic.

Offline adsys.in

  • Newbie
  • *
  • Posts: 3
    • View Profile
need to connect via different subnet over IPSec VPN
« on: September 23, 2011, 09:49:14 am »
hello,
I have big problem. I'm new in using pfsense 2.0

I need to connect do my SAP HR hosting partner. His requirements:

Lan subnet where is hosted SAP HR is: 172.10.5.0/24, and they are forceing me to use as my local subnet: 172.10.8.0/28
Problem is, I;m using different local subnet: 192.168.0.0/24

I cannot make translation from 192.168.0.0/24 to 172.10.8.0/28 (hosting partner accept tunel ONLY between 172.10.5.0/24 <-> 172.10.8.0/28)

What to do ?  How to configure pfsense (NAT, VIP,  etc. etc. )  :-[

Tunnel is making over IPSec between my public IP (pfsense) and their (cisco).

Offline torino

  • Newbie
  • *
  • Posts: 18
    • View Profile
Re: need to connect via different subnet over IPSec VPN
« Reply #1 on: September 24, 2011, 03:08:56 am »
hi,

The tunnel will be established between 172.10.5.0/24 <-> 172.10.8.0/28. So
packets can be send through the tunnel with destination ip 172.10.8.0/28 from your
SAP partner.

By using 1:1 NAT, it should be possible to translate the destination ip into your ip-range.
And also the way back by translating the source-IP.
Problem could be the different subnet-size...


Offline adsys.in

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: need to connect via different subnet over IPSec VPN
« Reply #2 on: September 24, 2011, 12:00:04 pm »
But how to configure NAT 1:1 ?
I cannot send any packets

Offline torino

  • Newbie
  • *
  • Posts: 18
    • View Profile
Re: need to connect via different subnet over IPSec VPN
« Reply #3 on: September 26, 2011, 01:33:16 pm »
hi !

i would try to configure 1:1 NAT:

Firewall > NAT > 1:1
Interface: IPSec
External IP: 172.10.8.0
Internal IP: 192.168.0.0

reason: packets from you SAP provider has destination IP 172.10.8.0/28. This should be switched to
192.168.0.0/28 network and also vise versa. problem could be the different subnet-length.

thats what i suggest, but i am also new in this area and i am fighting also with NAT and ARP Proxy ...

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14934
    • View Profile
Re: need to connect via different subnet over IPSec VPN
« Reply #4 on: September 26, 2011, 01:35:53 pm »
You cannot do NAT+IPsec in that way. It doesn't work.

The traffic will never enter the tunnel because it doesn't match the phase 2 on the tunnel, and NAT won't apply because it never gets into the tunnel.

IIRC there are other issues there as well, but it's a known issue that is fairly well documented.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline torino

  • Newbie
  • *
  • Posts: 18
    • View Profile
Re: need to connect via different subnet over IPSec VPN
« Reply #5 on: September 26, 2011, 02:43:12 pm »
hmm. yes, the traffic should fit with phase 2.

packets which are coming from the provider (out of the tunnel) has

Dest-IP: 178.10.8.0/24
Source-IP: 172.10.5.0/24

(.... this fits with phase 2.)

after 1:1 NAT (dest) in pfsense, we have

Dest-IP: 192.168.0.0/24
Source-IP: 172.10.5.0/24
..... (Destination IP changed)

this packet should reach the destination-host.
the reply from the host has

Dest-IP: 172.10.5.0/24
Source-IP: 192.168.0.0/24

after 1:1 NAT (source) in pfsense we have for the tunnel

Dest-IP: 172.10.5.0/24
Source-IP: 172.10.8.0/24

...this fits again with phase 2


please let me know what is wrong ....

Offline adsys.in

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: need to connect via different subnet over IPSec VPN
« Reply #6 on: September 27, 2011, 06:22:18 am »
for example, tarceroute to 172.10.5.1, from host in subnet 192.168.0.0 shows trace to default gateway and internet and nowhere
not to ipsce tunnel, via 172.10.8.0 to 172.10.5.0 at least :(

Offline torino

  • Newbie
  • *
  • Posts: 18
    • View Profile
Re: need to connect via different subnet over IPSec VPN
« Reply #7 on: September 27, 2011, 01:33:37 pm »

you have to consider, that the IP addresses fits with Phase2 configuration of ipsec,
before you send the packet to the tunnel.
Phase2 is established with 178.10.8.0/24 and 172.10.5.0/24. only these addresses accepted
by the vpn. but you want to send a packet with 192.168.0.0 and 172.10.5.0/24

Offline dhatz

  • Hero Member
  • *****
  • Posts: 1002
    • View Profile
Re: need to connect via different subnet over IPSec VPN
« Reply #8 on: September 27, 2011, 02:07:35 pm »
On the subject of NAT before IPsec VPN (not supported in pfsense 2.0), you can also read http://redmine.pfsense.org/issues/1855