Well. Maybe You need to hire pfsense consultant with NDA, so you can unmask needed information.
Usually there is no need to NAT in ipsec as you can tunnel private network/ip address too and limit access with firewall rules. Eero On Thu, Feb 8, 2018 at 9:42 PM, Roland Giesler <[email protected]> wrote: > On 8 February 2018 at 20:40, Eero Volotinen <[email protected]> wrote: > > > how about not masking ip addresses? > > > > I'm not allowed to show the ip addresses (by my client), hence the > masking... > > I thought I need NAT, but I also testing simply added the virtual ip, > a.a.a.a as the address, but it still doesn't work. > > > > > > > do you really need nat in phase 2 ? why? > > > > I have servers in a farm all NAT'ed (ie they only have LAN addresses) and > use NAT to forward the desired traffic to them (ie HTTPS to a web server). > > Now, it I want to establish an IPSec link that will allow a service > provider to push API calls to our server (with the NAT'ed address), I want > to give them a public address to talk to and them NAT that traffic to the > actual server. I understood that's the point of having NAT as an option in > phase2? > > I don't see any other way to achieve that, not? > > > > > > > Eero > > > > > > > > 8.2.2018 18.17 "Roland Giesler" <[email protected]> kirjoitti: > > > > > I'm trying to find a solution and know there are quite a few pfSense > > users > > > here, so here goes... > > > > > > We've set up some IPSec tunnels and they connect. The Phase2 also > "comes > > > up", but we can't reach the hosts specified in the Phase2 "remote > > network". > > > > > > One instance (to keep it simpler): > > > > > > WAN gateway: x.x.x.x (primary firewall interface) > > > > > > Phase1: > > > > > > Interface: Virtual IP a.a.a.a > > > > > > Phase2: > > > > > > Local address: address c.c.c.c > > > Local NAT translation: address a.a.a.a > > > > > > Remote address: r.r.r.r (A public ip) > > > > > > When phase1 and 2 are up and connected, I see no route for r.r.r.r in > the > > > routing table. > > > > > > Doing a traceroute from c.c.c.c, I get traffic leaving the network via > > > x.x.x.x, not via a.a.a.a. This could be because x.x.x.x is just a > > virtual > > > address though, or what? > > > > > > In the firewall log I see: > > > Feb 8 18:07:40 ► IPsec > > > <https://mailtrack.io/trace/link/3810b0b653bf2d2e2cba22508a65c8 > > <https://mailtrack.io/trace/link/892ace929998acda9ead81d80013db > e1b7ad28cf?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink% > 2F3810b0b653bf2d2e2cba22508a65c8&userId=977006&signature=9d738053b0d33cb5> > > > ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz > > <https://mailtrack.io/trace/link/f83ddb7327a8f200d411500bbce4cd > 5593aa39f4?url=http%3A%2F%2F2Fin.gtst.xyz&userId=977006& > signature=2a744f53ef768e7b> > > %2Feasyrule.php% > > > 3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178% > > > 26ipproto%3Dinet&userId=977006&signature=20ffc7b51058b751> > > > a.a.a.a:57914 > > > <https://mailtrack.io/trace/link/1a280d2835c7f522f38efd56201a0e > > <https://mailtrack.io/trace/link/7695ee502d0c9ac5d0ed75c5577abe > eec113a055?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink% > 2F1a280d2835c7f522f38efd56201a0e&userId=977006&signature=571e99f7a2732a8f> > > > b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz > > <https://mailtrack.io/trace/link/c2904059b91634be72796e03b8ffb1 > 4066c9777e?url=http%3A%2F%2F2Fin.gtst.xyz&userId=977006& > signature=cdc956157cdd5df3> > > %2Feasyrule.php% > > > 3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75. > > > 111.178%26dst%3D196.201.107.67%26dstport%3D21410% > > 26ipproto%3Dinet&userId= > > > 977006&signature=9606a76d3910d126> > > > r.r.r.r:12345 TCP:S > > > So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm > > not > > > getting any response from the remote. > > > > > > What is going on here? Should there be a route to r.r.r.r in the > routing > > > table or does pfSense hide some mechanics of the ports and routes from > > me? > > > > > > Thanks > > > > > > Roland > > > _______________________________________________ > > > pfSense mailing list > > > https://lists.pfsense.org/mailman/listinfo/list > > <https://mailtrack.io/trace/link/813c2da34aa99bf7f9eec9ae50b37e > 3bd68e70ff?url=https%3A%2F%2Flists.pfsense.org%2Fmailman% > 2Flistinfo%2Flist&userId=977006&signature=18f942cb3843942b> > > > Support the project with Gold! https://pfsense.org/gold > > <https://mailtrack.io/trace/link/460987973799abd5c29871361dc34f > d4bf737bb0?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=977006&signature= > 9b7e0fb022e1d4b3> > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > <https://mailtrack.io/trace/link/0552102ab27c30e6e81901e0c9ebf8 > bd42b5d7c3?url=https%3A%2F%2Flists.pfsense.org%2Fmailman% > 2Flistinfo%2Flist&userId=977006&signature=cf850d54e37d5986> > > Support the project with Gold! https://pfsense.org/gold > > <https://mailtrack.io/trace/link/a64fb335799a74808cd4b40672ab63 > 34c841a087?url=https%3A%2F%2Fpfsense.org%2Fgold&userId=977006&signature= > 6f1a46c71565950f> > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
