how about not masking ip addresses? do you really need nat in phase 2 ? why?
Eero 8.2.2018 18.17 "Roland Giesler" <[email protected]> kirjoitti: > I'm trying to find a solution and know there are quite a few pfSense users > here, so here goes... > > We've set up some IPSec tunnels and they connect. The Phase2 also "comes > up", but we can't reach the hosts specified in the Phase2 "remote network". > > One instance (to keep it simpler): > > WAN gateway: x.x.x.x (primary firewall interface) > > Phase1: > > Interface: Virtual IP a.a.a.a > > Phase2: > > Local address: address c.c.c.c > Local NAT translation: address a.a.a.a > > Remote address: r.r.r.r (A public ip) > > When phase1 and 2 are up and connected, I see no route for r.r.r.r in the > routing table. > > Doing a traceroute from c.c.c.c, I get traffic leaving the network via > x.x.x.x, not via a.a.a.a. This could be because x.x.x.x is just a virtual > address though, or what? > > In the firewall log I see: > Feb 8 18:07:40 ► IPsec > <https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8 > ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php% > 3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178% > 26ipproto%3Dinet&userId=977006&signature=20ffc7b51058b751> > a.a.a.a:57914 > <https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0e > b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php% > 3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75. > 111.178%26dst%3D196.201.107.67%26dstport%3D21410%26ipproto%3Dinet&userId= > 977006&signature=9606a76d3910d126> > r.r.r.r:12345 TCP:S > So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm not > getting any response from the remote. > > What is going on here? Should there be a route to r.r.r.r in the routing > table or does pfSense hide some mechanics of the ports and routes from me? > > Thanks > > Roland > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
