[pfSense] IPsec and NAT problem with SonicWall VPN Client

Toni Garcia Wed, 20 Nov 2013 10:03:46 -0800

Hello, 

I have a problem when trying to connect from inside my netwrok to an external 
SonicWall VPN server.


Sniffing traffic on my firewall (both interfaces LAN/WAN) shows me that 
internal IP address is not being NATed, but NAT is working for any other use 
(IP traffic and other non SonicWall VPN servers) 

When trying with SonicWall client, on both interfaces I can see this traffic: 



18:10:25.718378 IP 192.168.255.241.500 > SONICWALL.500: isakmp: phase 1 I agg 
18:10:25.718401 IP 192.168.255.241 > SONICWALL.225: udp 




Other test, connecting to a non SonicWall VPN servers, show this traffic in the 
LAN interface 


18:10:30.003703 IP 192.168.255.241.6321 > IPSEC_SERVER.500: isakmp: phase 1 I 
agg 
18:10:30.043896 IP IPSEC_SERVER.500 > WAN_ADDRESS.6321: isakmp: phase 1 R agg 
18:10:30.195077 IP 192.168.255.241.6321 > IPSEC_SERVER.500: isakmp: phase 1 I 
agg[E] 
18:10:30.195090 IP 192.168.255.241.6321 > IPSEC_SERVER.500: isakmp: phase 
2/others I inf[E] 
18:10:30.244034 IP IPSEC_SERVER.500 > WAN_ADDRESS.6321: isakmp: phase 2/others 
R #6[E] 
18:10:30.244551 IP 192.168.255.241.6321 > IPSEC_SERVER.500: isakmp: phase 
2/others I #6[E] 
18:10:30.265647 IP IPSEC_SERVER.500 > WAN_ADDRESS.6321: isakmp: phase 2/others 
R #6[E] 
18:10:30.330998 IP 192.168.255.241.6321 > IPSEC_SERVER.500: isakmp: phase 
2/others I inf[E] 




and this traffic in the WAN interface 


18:10:30.003703 IP WAN_ADDRESS.6321 > IPSEC_SERVER.500: isakmp: phase 1 I agg 
18:10:30.043896 IP IPSEC_SERVER.500 > WAN_ADDRESS.6321: isakmp: phase 1 R agg 
18:10:30.195077 IP WAN_ADDRESS.6321 > IPSEC_SERVER.500: isakmp: phase 1 I 
agg[E] 
18:10:30.195090 IP WAN_ADDRESS.6321 > IPSEC_SERVER.500: isakmp: phase 2/others 
I inf[E] 
18:10:30.244034 IP IPSEC_SERVER.500 > WAN_ADDRESS.6321: isakmp: phase 2/others 
R #6[E] 
18:10:30.244551 IP WAN_ADDRESS.6321 > IPSEC_SERVER.500: isakmp: phase 2/others 
I #6[E] 
18:10:30.265647 IP IPSEC_SERVER.500 > WAN_ADDRESS.6321: isakmp: phase 2/others 
R #6[E] 
18:10:30.330998 IP WAN_ADDRESS.6321 > IPSEC_SERVER.500: isakmp: phase 2/others 
I inf[E] 


The question is why pfSense is not NATing a particular IPsec connection, while 
NAT has been working in the same configuration for a long time. 

pfSense version is 2.0.3 in 2 boxes using CARP for redundancy. 

Thanks, any help would be appreciated 

-- 
Toni Garcia 
Técnico de Sistemas 

Oracle Linux Certified Implementation Specialist 
Oracle Certified Professional Solaris 10 System Administrator 
SISTEL  

Servicios Informáticos de Software 
y Telecomunicaciones 
Avd. Los Jarales, 4 (03010) ALICANTE 



TLF 965930080 - FAX 901021558 
www.sistel.es 
Por favor recuerda tu responsabilidad medioambiental antes de imprimir este 
e-mail. / Please consider your environmental responsibility before printing 
this e-mail.

_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] IPsec and NAT problem with SonicWall VPN Client

Reply via email to