• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT over ipsec

NAT
2
6
629
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    handleric
    last edited by Feb 19, 2022, 4:11 AM

    Hello,

    Im trying to build out some config that would allow me to port forward or NAT traffic coming in from my WAN interface and send it across an IPSec tunnel to a remote site. I have everything configured and in place including outbound NAT rules to transform the traffic going out the IPSec interface however it's never making it to the other end and appears to be terminating locally on the pfsense firewall.

    Anyone have any experience with a config like this?

    1 Reply Last reply Reply Quote 0
    • H
      handleric
      last edited by Feb 19, 2022, 8:47 PM

      The scenario here would be:

      Site A:

      • WAN IP: 70.10.20.3
      • LAN: 192.168.1.1/24

      Site B:

      • WAN IP: 80.1.2.3
      • LAN: 192.168.2.1/24

      I need to be able to take traffic coming in to 70.10.20.3 (Site A) on port 80 & 443 and send it to a web server in the 192.168.2.0/24 (Site B) network. As of right now the IPSec VPNs are up and I am able to ping endpoints across the tunnel including from the opposing firewall however when traffic comes in I can see from the sessions the NAT is translating the destination to the expected 192.168.2.0/24 IP address however no packets ever try to go out the tunnel.

      V 1 Reply Last reply Feb 20, 2022, 10:15 AM Reply Quote 0
      • V
        viragomann @handleric
        last edited by Feb 20, 2022, 10:15 AM

        @handleric
        This only works if site A is the default gateway at B. So you need to configure the P2 properly on both sites.

        If you don't want that use OpenVPN.

        H 1 Reply Last reply Feb 20, 2022, 2:43 PM Reply Quote 0
        • H
          handleric @viragomann
          last edited by Feb 20, 2022, 2:43 PM

          @viragomann This has been configured however the traffic is never leaving site A to be sent to site B in the first place and I can't figure out why.

          V 1 Reply Last reply Feb 20, 2022, 2:58 PM Reply Quote 0
          • V
            viragomann @handleric
            last edited by Feb 20, 2022, 2:58 PM

            @handleric
            So your IPSec phase 2 have
            site A:
            local: 0.0.0.0/0
            remote: 192.168.2.0/24

            site B:
            local: 192.168.2.0/24
            remote: 0.0.0.0/0
            ?
            Ensure that you have configured the p2 on both site accordingly.

            If so you should be able to easily NAT the incoming traffic at A to e.g. 192.168.2.52 and responses should be routed back properly.

            H 1 Reply Last reply Feb 21, 2022, 8:03 PM Reply Quote 0
            • H
              handleric @viragomann
              last edited by Feb 21, 2022, 8:03 PM

              @viragomann

              Thank you for the information, I did in fact have the P2 local network defined as the subnet on within the local LAN assuming the routing would have still sent the traffic across based on the destination IP and the routing table however that obviously didn't end up being the case. After changing the local network on the P2 from 192.168.1.0/24 to 0.0.0.0/0 the traffic started sending across the tunnel.

              Thank you for the help!

              1 Reply Last reply Reply Quote 0
              4 out of 6
              • First post
                4/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.