On 2/9/2018 6:42 AM, Roland Giesler wrote:
Ok, I'll try again with real (fake) addresses to make it better understood.

WAN gateway: 197.212.127.194  (primary firewall interface), next hop
gateway 197.212.127.193

Phase1:

Interface: Virtual IP 41.22.123.70

Phase2:

Local address: address 192.168.110.130
Local NAT translation: address 41.22.123.70

Remote address: 196.210.117.67   (A public ip)

When phase1 and 2 are up and connected, I see no route for 196.210.117.67
in the routing table.

Doing a traceroute from 192.168.110.130, I get traffic leaving the network
via 197.212.127.193, not via 41.22.123.70.  This could be because
41.22.123.70 is just a virtual address though, or what?  It may not be
meaningful after all.

In the firewall log I see:
Feb 8 18:07:40 â–º IPsec
<https://in.gtst.xyz/easyrule.php?action=block&int=ipsec&src=41.75.111.178&ipproto=inet>
41.22.123.70:57914
<https://in.gtst.xyz/easyrule.php?action=pass&int=ipsec&proto=tcp&src=41.75.111.178&dst=196.201.107.67&dstport=21410&ipproto=inet>
196.210.117.67:12345 TCP:S
So traffic is being allowed via IPsec from 41.22.123.70 to 196.210.117.67,
but I'm not getting any response from the remote.

Is this wrong?  If so, what is right?  I cannot expose the LAN ip address
to the tunnel (192.168.110.130), I need to use the public IP...

thanks again



In my experience, one does not see routes in the routing table for IPSEC based 
routes.

IPSEC tunneling, I believe, happens before any NATting might. This might be why 
you're seeing your traffic exit the default gateway since it still possesses 
it's original ip addresses. I'm not sure what you are trying to achieve is 
possible on the same device, unless you do some kind of NAT on the incoming 
interface if that's possible.

Seeing actual configuration files might be helpful. So would the results of 
packet capture on both I{SEC interfaces.

Mark
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Reply via email to