# NAT on IPSEC with PF



## minimike (Jul 4, 2013)

Hi there*,*

I've seted up a_n_ IP_sec_ tunnel with five networks on FreeBSD 8.4 to a_n_ Astaro based device. One of the remote networks has the 192.168.0.39/24 subnet and it's accessible from a local network 10.253.1.0/24 like all of these networks. The network of my LAN has a 192.168.0.0/24 subnet. So I've configured my NIC from the intranet with 192.168.0.2 and put an alias with 10.253.1.1 on it.


```
intranet: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=401bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
	ether a0:36:9f:1f:98:44
	inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
	inet 10.253.1.1 netmask 0xffffffff broadcast 10.253.1.1
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
```


```
MyPublicIP -> 10.253.1.0/24 <-> 192.168.39.0 <- RemotePublicIP
                  |
MyLAN-IP -> 192.168.0.0/24
```

On my IP_sec_/PF FreeBSD system I can reach all ad_d_resses on the remote subnets. But I didn't get a successful NAT from my LAN 192.168.0.0/24 to 10.253.1 to the remote LANs working. 

Is there a trick how I could do that with PF?

Cheers, Darko.


----------



## kpa (Jul 4, 2013)

minimike said:
			
		

> On my IPSEC/PF FreeBSD system I can reach all adresses on the remote subnets. But I didn't get a successful NAT from my LAN 192.168.0.0/24 to 10.253.1 to the remote LANs working.



Do you really mean NAT or just routing? One thing I noticed is that you have the netmask wrong on the 10.253.1.1 address, it should be 255.255.255.0 because it's in a different subnet than the main address.


----------



## minimike (Jul 5, 2013)

NAT seems currently OK also. I've tried many things; more th_an_ 50 hours without success


----------



## kpa (Jul 6, 2013)

I'm asking about NAT because I don't see any NAT in your description. Post your rules and relevant parts of the IPsec and networking configurations and someone may have a clue what is wrong.


----------



## throAU (Jul 10, 2013)

It's not clear if you are running through a NAT between the two machines, but if you are...

If your "public IP" is actually private and then hitting the _I_nternet somehow, the NAT box you are going through will need to allow IPsec NAT-T for your tunnel to work.  You will also need to allow the relevant NAT-T ports through pf.

If you don't own the NAT box, you may need to contact those who do.

Essentially what I'm saying is this:  *If* your encrypted payloads pass *through* a NAT, IP_sec_ will break, as NAT modifies the packets in a way that is incompatible with IP_sec_.  NAT-T is a work-around for this issue (though it does come with some inherent caveats regarding degraded security).


----------



## Crest (Jul 10, 2013)

No. IPsec payloads can pass through NAPT without damage unless you use AH. The problem is in establishing the SAs (and policies).


----------



## throAU (Jul 10, 2013)

Crest said:
			
		

> No. IPsec Payloads can pass through NAPT without damage unless you use AH. *The problem is in establishing the SAs (and policies)*.



Which is kinda of crucial to negotiating a connection?

(I haven't run IP_sec_ on FreeBSD for a decade or more, I do it all on Cisco gear these days).


----------



## minimike (Jul 16, 2013)

....


----------

