Re: [pfSense] IPSec not routing traffic over tunnel

2018-02-08 Thread Eero Volotinen 
Well. Maybe You need to hire pfsense consultant with NDA, so you can unmask
needed information.

Usually there is no need to NAT in ipsec as you can tunnel private
network/ip address too and limit access with firewall rules.

Eero

On Thu, Feb 8, 2018 at 9:42 PM, Roland Giesler 
wrote:

> On 8 February 2018 at 20:40, Eero Volotinen  wrote:
>
> > how about not masking ip addresses?
> >
>
> I'm not allowed to show the ip addresses (by my client), hence the
> masking...
>
> I thought I need NAT, but I also testing simply added the virtual ip,
> a.a.a.a as the address, but it still doesn't work.
>
>
>
> >
> > do you really need nat in phase 2 ? why?
> >
>
> I have servers in a farm all NAT'ed (ie they only have LAN addresses) and
> use NAT to forward the desired traffic to them (ie HTTPS to a web server).
>
> Now, it I want to establish an IPSec link that will allow a service
> provider to push API calls to our server (with the NAT'ed address), I want
> to give them a public address to talk to and them NAT that traffic to the
> actual server.  I understood that's the point of having NAT as an option in
> phase2?
>
> I don't see any other way to achieve that, not?
>
>
>
> >
> > Eero
> >
> >
> >
> > 8.2.2018 18.17 "Roland Giesler"  kirjoitti:
> >
> > > I'm trying to find a solution and know there are quite a few pfSense
> > users
> > > here, so here goes...
> > >
> > > We've set up some IPSec tunnels and they connect.  The Phase2 also
> "comes
> > > up", but we can't reach the hosts specified in the Phase2 "remote
> > network".
> > >
> > > One instance (to keep it simpler):
> > >
> > > WAN gateway: x.x.x.x  (primary firewall interface)
> > >
> > > Phase1:
> > >
> > > Interface: Virtual IP a.a.a.a
> > >
> > > Phase2:
> > >
> > > Local address: address c.c.c.c
> > > Local NAT translation: address a.a.a.a
> > >
> > > Remote address: r.r.r.r  (A public ip)
> > >
> > > When phase1 and 2 are up and connected, I see no route for r.r.r.r in
> the
> > > routing table.
> > >
> > > Doing a traceroute from c.c.c.c, I get traffic leaving the network via
> > > x.x.x.x, not via a.a.a.a.  This could be because x.x.x.x is just a
> > virtual
> > > address though, or what?
> > >
> > > In the firewall log I see:
> > > Feb 8 18:07:40 ► IPsec
> > >  >  e1b7ad28cf?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%
> 2F3810b0b653bf2d2e2cba22508a65c8=977006=9d738053b0d33cb5>
> > > ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz
> >  5593aa39f4?url=http%3A%2F%2F2Fin.gtst.xyz=977006&
> signature=2a744f53ef768e7b>
> > %2Feasyrule.php%
> > > 3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%
> > > 26ipproto%3Dinet=977006=20ffc7b51058b751>
> > > a.a.a.a:57914
> > >  >  eec113a055?url=https%3A%2F%2Fmailtrack.io%2Ftrace%2Flink%
> 2F1a280d2835c7f522f38efd56201a0e=977006=571e99f7a2732a8f>
> > > b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz
> >  4066c9777e?url=http%3A%2F%2F2Fin.gtst.xyz=977006&
> signature=cdc956157cdd5df3>
> > %2Feasyrule.php%
> > > 3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.
> > > 111.178%26dst%3D196.201.107.67%26dstport%3D21410%
> > 26ipproto%3Dinet=
> > > 977006=9606a76d3910d126>
> > > r.r.r.r:12345 TCP:S
> > > So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm
> > not
> > > getting any response from the remote.
> > >
> > > What is going on here?  Should there be a route to r.r.r.r in the
> routing
> > > table or does pfSense hide some mechanics of the ports and routes from
> > me?
> > >
> > > Thanks
> > >
> > > Roland
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> >  3bd68e70ff?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%
> 2Flistinfo%2Flist=977006=18f942cb3843942b>
> > > Support the project with Gold! https://pfsense.org/gold
> >  d4bf737bb0?url=https%3A%2F%2Fpfsense.org%2Fgold=977006=
> 9b7e0fb022e1d4b3>
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> >  bd42b5d7c3?url=https%3A%2F%2Flists.pfsense.org%2Fmailman%
> 2Flistinfo%2Flist=977006=cf850d54e37d5986>
> > Support the project with Gold! https://pfsense.org/gold
> >  34c841a087?url=https%3A%2F%2Fpfsense.org%2Fgold=977006=
> 6f1a46c71565950f>
>

Re: [pfSense] IPSec not routing traffic over tunnel

2018-02-08 Thread Roland Giesler 
On 8 February 2018 at 20:40, Eero Volotinen  wrote:

> how about not masking ip addresses?
>

I'm not allowed to show the ip addresses (by my client), hence the
masking...

I thought I need NAT, but I also testing simply added the virtual ip,
a.a.a.a as the address, but it still doesn't work.



>
> do you really need nat in phase 2 ? why?
>

I have servers in a farm all NAT'ed (ie they only have LAN addresses) and
use NAT to forward the desired traffic to them (ie HTTPS to a web server).

Now, it I want to establish an IPSec link that will allow a service
provider to push API calls to our server (with the NAT'ed address), I want
to give them a public address to talk to and them NAT that traffic to the
actual server.  I understood that's the point of having NAT as an option in
phase2?

I don't see any other way to achieve that, not?



>
> Eero
>
>
>
> 8.2.2018 18.17 "Roland Giesler"  kirjoitti:
>
> > I'm trying to find a solution and know there are quite a few pfSense
> users
> > here, so here goes...
> >
> > We've set up some IPSec tunnels and they connect.  The Phase2 also "comes
> > up", but we can't reach the hosts specified in the Phase2 "remote
> network".
> >
> > One instance (to keep it simpler):
> >
> > WAN gateway: x.x.x.x  (primary firewall interface)
> >
> > Phase1:
> >
> > Interface: Virtual IP a.a.a.a
> >
> > Phase2:
> >
> > Local address: address c.c.c.c
> > Local NAT translation: address a.a.a.a
> >
> > Remote address: r.r.r.r  (A public ip)
> >
> > When phase1 and 2 are up and connected, I see no route for r.r.r.r in the
> > routing table.
> >
> > Doing a traceroute from c.c.c.c, I get traffic leaving the network via
> > x.x.x.x, not via a.a.a.a.  This could be because x.x.x.x is just a
> virtual
> > address though, or what?
> >
> > In the firewall log I see:
> > Feb 8 18:07:40 ► IPsec
> >  
> > ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz
> 
> %2Feasyrule.php%
> > 3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%
> > 26ipproto%3Dinet=977006=20ffc7b51058b751>
> > a.a.a.a:57914
> >  
> > b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz
> 
> %2Feasyrule.php%
> > 3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.
> > 111.178%26dst%3D196.201.107.67%26dstport%3D21410%
> 26ipproto%3Dinet=
> > 977006=9606a76d3910d126>
> > r.r.r.r:12345 TCP:S
> > So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm
> not
> > getting any response from the remote.
> >
> > What is going on here?  Should there be a route to r.r.r.r in the routing
> > table or does pfSense hide some mechanics of the ports and routes from
> me?
> >
> > Thanks
> >
> > Roland
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> 
> > Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> 
> Support the project with Gold! https://pfsense.org/gold
> 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPSec not routing traffic over tunnel

2018-02-08 Thread Eero Volotinen 
how about not masking ip addresses?

do you really need nat in phase 2 ? why?

Eero



8.2.2018 18.17 "Roland Giesler"  kirjoitti:

> I'm trying to find a solution and know there are quite a few pfSense users
> here, so here goes...
>
> We've set up some IPSec tunnels and they connect.  The Phase2 also "comes
> up", but we can't reach the hosts specified in the Phase2 "remote network".
>
> One instance (to keep it simpler):
>
> WAN gateway: x.x.x.x  (primary firewall interface)
>
> Phase1:
>
> Interface: Virtual IP a.a.a.a
>
> Phase2:
>
> Local address: address c.c.c.c
> Local NAT translation: address a.a.a.a
>
> Remote address: r.r.r.r  (A public ip)
>
> When phase1 and 2 are up and connected, I see no route for r.r.r.r in the
> routing table.
>
> Doing a traceroute from c.c.c.c, I get traffic leaving the network via
> x.x.x.x, not via a.a.a.a.  This could be because x.x.x.x is just a virtual
> address though, or what?
>
> In the firewall log I see:
> Feb 8 18:07:40 ► IPsec
>  ee1e61d53a?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%
> 3Faction%3Dblock%26int%3Dipsec%26src%3D41.75.111.178%
> 26ipproto%3Dinet=977006=20ffc7b51058b751>
> a.a.a.a:57914
>  b835d0bb60?url=https%3A%2F%2Fin.gtst.xyz%2Feasyrule.php%
> 3Faction%3Dpass%26int%3Dipsec%26proto%3Dtcp%26src%3D41.75.
> 111.178%26dst%3D196.201.107.67%26dstport%3D21410%26ipproto%3Dinet=
> 977006=9606a76d3910d126>
> r.r.r.r:12345 TCP:S
> So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm not
> getting any response from the remote.
>
> What is going on here?  Should there be a route to r.r.r.r in the routing
> table or does pfSense hide some mechanics of the ports and routes from me?
>
> Thanks
>
> Roland
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPSec not routing traffic over tunnel

2018-02-08 Thread Roland Giesler 
I'm trying to find a solution and know there are quite a few pfSense users
here, so here goes...

We've set up some IPSec tunnels and they connect.  The Phase2 also "comes
up", but we can't reach the hosts specified in the Phase2 "remote network".

One instance (to keep it simpler):

WAN gateway: x.x.x.x  (primary firewall interface)

Phase1:

Interface: Virtual IP a.a.a.a

Phase2:

Local address: address c.c.c.c
Local NAT translation: address a.a.a.a

Remote address: r.r.r.r  (A public ip)

When phase1 and 2 are up and connected, I see no route for r.r.r.r in the
routing table.

Doing a traceroute from c.c.c.c, I get traffic leaving the network via
x.x.x.x, not via a.a.a.a.  This could be because x.x.x.x is just a virtual
address though, or what?

In the firewall log I see:
Feb 8 18:07:40 ► IPsec

a.a.a.a:57914

r.r.r.r:12345 TCP:S
So traffic is being allowed via IPsec from a.a.a.a to r.r.r.r, but I'm not
getting any response from the remote.

What is going on here?  Should there be a route to r.r.r.r in the routing
table or does pfSense hide some mechanics of the ports and routes from me?

Thanks

Roland
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold