@konikv You're probaly looking for that: NAT with IPsec Phase 2 Networks

@operator2024 Hi I have same situation, no matter what I do I can't get a second phase 2 to come up when it uses a subnet that doesn't directly exist on a local interface. could you please tell me what exactly you did so i can compare with my conf in my case i have Palo Alto --- IPsec ---- Pfsense --- IPsec --- AWS Pfsense --- IPsec ---- Pfsense --- IPsec --- AWS both don't work could you please help

@viragomann This was the solution. Thank you so much!

@slu Yes dude, tks

@saeed WELCOME Pfsense CE I use Pfsense since 2.2.X This type of failure in the essence of a firewall, did not occur. = (

@ralf-0 Firewall > NAT > Outbound > Disable Outbound NAT rule generation

SOLVED Thanks for your help, by reading and thinking you helped me find the solution. I found the fail! It was done by myself. I made a new NAT rule 3 weeks ago, in that rule i included port 8282 on block. I tuned the NAT rule, removed 8282 block, viola, all ports that I need to be open is now open: [image: 1618911090323-5da1e541-e972-48d2-98b4-b221fb776202-image.png]

@johnpoz I recreated the Nat rule i was successful in getting this to work, currently monitoring the connection. Thanks for your effort, Thanks

Works by doing the NAT configuration on the IPsec Phase 2 and a static route to the remote subnet pointing to inside interface. NAT with IPsec Phase 2 Networks Routing and gateway considerations Thank you so much, @viragomann.

Despite extensive testing before release it's still possible to hit this in 2.5.1 CE but not as far as we know in 21.02.2 (Plus). Though it's unclear what the difference there is. https://redmine.pfsense.org/issues/11805 Steve

@gertjan Thank you so much for the support! My mistake was to put the start and end port different in this case, on other firewalls it works like this. Thanks again and have a nice day!

actually it was a pfsense update problem: https://redmine.pfsense.org/issues/11805 update to 2.6.0 and its fine now. hope they release a hotfix for stable version soon.

Have you tried to remove the GW's on the rules and let the FW handle them by itself?

@michael_kappler https://redmine.pfsense.org/issues/11436#note-56 FYI