Re: [pfSense] IPSec nat issue
On 5/27/2016 3:57 PM, Lyle Giese wrote: > unsure how easy that might be. Couldn't you eliminate the conflict by re-addressing your 192.168.1/24 to something else in rfc1918 land? -- Mark Wiater ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
On 5/26/2016 1:23 PM, Mark Wiater wrote: On 5/26/2016 2:09 PM, Rosen Iliev wrote: The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. It's probably best to remove the conflict instead of perform the NAT. I appreciate that re-addressing your network could be impractical though. If the remote side is using 192.168.1/24 and you are using that same space, it doesn't seem like using a sonicwall will make the situation any better. Where exactly are you looking with 'pfSense's packet capture tool'? Are you looking on the ipsec tunnel or on your 192.168.1/24 interface? Can the far end folks be more explicit about the failure mode? Perhaps they could indicate exactly what response they get to the ICMP echo request? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold Agree on removing the conflict, but unsure how easy that might be. Packet capture on IPSec tunnel for any 192.168.75.x or 192.168.85.x traffic. I only see traffic when I ping their host at 192.168.75.220 from the LAN(192.168.1.x). I am not allowed to talk to the hands on person at the colo. I am only allowed to talk to the Engineer at UBS. He stated the packets were being rejected. I don't know anything further. The engineer at UBS stated 'We have many tunnels setup this way using SonicWall and a cookie cutter template for you to use.' Preliminary investigation indicates double the cost of the appliance and around $400 per year security subscription costs for the sonicwall. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
Pinging 192.168.85.187 from 192.168.75.220. I am trying to map 192.168.85.x to 192.168.1.x with NAT. Lyle On 5/26/2016 1:09 PM, Rosen Iliev wrote: Hi Lyle, Which IP they are pinging exactly? Rosen Lyle wrote on 5/25/2016 6:54 PM: I am trying to install a new pfSense appliance running 2.3 Release. works fine until I setup a IPSec tunnel. The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. I can ping and see the smb shares on their server at 192.168.75.220 from a workstation on the 192.168.1.0/24 network. However they need to ping and access the printers on the LAN(192.168.1.0/24) network from their 192.168.75.0/24 network. That's where this all breaks down. The guys at the far end are using SonicWall and want me to junk what we have and buy a much more expensive SonicWall(not to mention the subscription costs for filtering web access) to do what pfSense does now, using Squid and squidGuard. The guys at the far end are claiming that our end is rejecting their ping packets from their server at 192.168.75.220. I am unable to see any of their ping packets using pfSense's packet capture tool. I have played with 1:1 nat and tried every combo I can think of and have not come up with a working way to see their packets. I have googled and found several pfsense docs but am not able to come up with a working answer. Just not even sure what you guys need from me to help troubleshoot this. Thanks in advance, Lyle Giese LCR Computer Services, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
That's a typo. All routes/subnets are rfc 1918, 192.168.x.x Lyle On 5/26/2016 9:40 AM, Steve Yates wrote: Jumping in midway through, 193.168.1.0/24 belongs to Universite du Luxembourg. If that's not you then the other end could be routing packets there. -- Steve Yates ITS, Inc. -Original Message- On Wed, May 25, 2016 at 8:54 PM, Lyle wrote: The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
I was running packet capture on the IPSec interface looking for traffic to/from 192.168.75.x and 192.168.85.x and only saw traffic when I pinged their server. Lyle On 5/26/2016 9:32 AM, ED Fochler wrote: I agree. I typically ssh in as root and tcpdump to get a more interactive view of the network, but packet capture should give you the same data. You should be seeing traffic even if it is rejected or dropped by your firewall rules. If you’re not seeing ping, it’s not showing up at your interface. ED. On 2016, May 26, at 8:44 AM, Vick Khera wrote: On Wed, May 25, 2016 at 8:54 PM, Lyle wrote: The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. So if they have a conflicting 192.168.1.0/24 network on their end already, how the heck do they expect traffic to *your* version of that network to get routed to you? That is, if they type "ping 192.168.1.42" which network is it supposed to go to? I don't see how some Sonicwall magic could make that happen either. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
I think they would ping 192.168.85.x and incoming pfSense would forward that traffic to 192.168.1.x, doing a 1:1 type NAT. Lyle On 5/26/2016 7:44 AM, Vick Khera wrote: On Wed, May 25, 2016 at 8:54 PM, Lyle wrote: The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. So if they have a conflicting 192.168.1.0/24 network on their end already, how the heck do they expect traffic to *your* version of that network to get routed to you? That is, if they type "ping 192.168.1.42" which network is it supposed to go to? I don't see how some Sonicwall magic could make that happen either. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
On 5/26/2016 2:09 PM, Rosen Iliev wrote: > The other end has a conflict with our LAN addressing(192.168.1.0/24). > So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the > local Network. NAT/BINAT network of 192.168.85.0/24. Their remote > network is 192.168.75.0/24. It's probably best to remove the conflict instead of perform the NAT. I appreciate that re-addressing your network could be impractical though. If the remote side is using 192.168.1/24 and you are using that same space, it doesn't seem like using a sonicwall will make the situation any better. Where exactly are you looking with 'pfSense's packet capture tool'? Are you looking on the ipsec tunnel or on your 192.168.1/24 interface? Can the far end folks be more explicit about the failure mode? Perhaps they could indicate exactly what response they get to the ICMP echo request? I would think you would need another private net for the tunnel, something like this: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike -protocols/14143-same-ip.html ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
On 5/26/2016 2:09 PM, Rosen Iliev wrote: > The other end has a conflict with our LAN addressing(192.168.1.0/24). > So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the > local Network. NAT/BINAT network of 192.168.85.0/24. Their remote > network is 192.168.75.0/24. It's probably best to remove the conflict instead of perform the NAT. I appreciate that re-addressing your network could be impractical though. If the remote side is using 192.168.1/24 and you are using that same space, it doesn't seem like using a sonicwall will make the situation any better. Where exactly are you looking with 'pfSense's packet capture tool'? Are you looking on the ipsec tunnel or on your 192.168.1/24 interface? Can the far end folks be more explicit about the failure mode? Perhaps they could indicate exactly what response they get to the ICMP echo request? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
Hi Lyle, Which IP they are pinging exactly? Rosen Lyle wrote on 5/25/2016 6:54 PM: I am trying to install a new pfSense appliance running 2.3 Release. works fine until I setup a IPSec tunnel. The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. I can ping and see the smb shares on their server at 192.168.75.220 from a workstation on the 192.168.1.0/24 network. However they need to ping and access the printers on the LAN(192.168.1.0/24) network from their 192.168.75.0/24 network. That's where this all breaks down. The guys at the far end are using SonicWall and want me to junk what we have and buy a much more expensive SonicWall(not to mention the subscription costs for filtering web access) to do what pfSense does now, using Squid and squidGuard. The guys at the far end are claiming that our end is rejecting their ping packets from their server at 192.168.75.220. I am unable to see any of their ping packets using pfSense's packet capture tool. I have played with 1:1 nat and tried every combo I can think of and have not come up with a working way to see their packets. I have googled and found several pfsense docs but am not able to come up with a working answer. Just not even sure what you guys need from me to help troubleshoot this. Thanks in advance, Lyle Giese LCR Computer Services, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
Jumping in midway through, 193.168.1.0/24 belongs to Universite du Luxembourg. If that's not you then the other end could be routing packets there. -- Steve Yates ITS, Inc. -Original Message- > On Wed, May 25, 2016 at 8:54 PM, Lyle wrote: > >> The other end has a conflict with our LAN addressing(192.168.1.0/24). >> So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 >> >> for the local Network. NAT/BINAT network of 192.168.85.0/24. Their >> remote network is 192.168.75.0/24. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
I agree. I typically ssh in as root and tcpdump to get a more interactive view of the network, but packet capture should give you the same data. You should be seeing traffic even if it is rejected or dropped by your firewall rules. If you’re not seeing ping, it’s not showing up at your interface. ED. > On 2016, May 26, at 8:44 AM, Vick Khera wrote: > > On Wed, May 25, 2016 at 8:54 PM, Lyle wrote: > >> The other end has a conflict with our LAN addressing(192.168.1.0/24). So >> in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 >> >> for the local Network. NAT/BINAT network of 192.168.85.0/24. Their >> remote network is 192.168.75.0/24. >> > > So if they have a conflicting 192.168.1.0/24 network on their end already, > how the heck do they expect traffic to *your* version of that network to > get routed to you? That is, if they type "ping 192.168.1.42" which network > is it supposed to go to? I don't see how some Sonicwall magic could make > that happen either. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] IPSec nat issue
On Wed, May 25, 2016 at 8:54 PM, Lyle wrote: > The other end has a conflict with our LAN addressing(192.168.1.0/24). So > in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 > > for the local Network. NAT/BINAT network of 192.168.85.0/24. Their > remote network is 192.168.75.0/24. > So if they have a conflicting 192.168.1.0/24 network on their end already, how the heck do they expect traffic to *your* version of that network to get routed to you? That is, if they type "ping 192.168.1.42" which network is it supposed to go to? I don't see how some Sonicwall magic could make that happen either. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] IPSec nat issue
I am trying to install a new pfSense appliance running 2.3 Release. works fine until I setup a IPSec tunnel. The other end has a conflict with our LAN addressing(192.168.1.0/24). So in phase 2, we setup a Tunnel IPv4 using 193.168.1.0/24 for the local Network. NAT/BINAT network of 192.168.85.0/24. Their remote network is 192.168.75.0/24. I can ping and see the smb shares on their server at 192.168.75.220 from a workstation on the 192.168.1.0/24 network. However they need to ping and access the printers on the LAN(192.168.1.0/24) network from their 192.168.75.0/24 network. That's where this all breaks down. The guys at the far end are using SonicWall and want me to junk what we have and buy a much more expensive SonicWall(not to mention the subscription costs for filtering web access) to do what pfSense does now, using Squid and squidGuard. The guys at the far end are claiming that our end is rejecting their ping packets from their server at 192.168.75.220. I am unable to see any of their ping packets using pfSense's packet capture tool. I have played with 1:1 nat and tried every combo I can think of and have not come up with a working way to see their packets. I have googled and found several pfsense docs but am not able to come up with a working answer. Just not even sure what you guys need from me to help troubleshoot this. Thanks in advance, Lyle Giese LCR Computer Services, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
