OpenVPN - masquerade traffic to access IPSec tunnel

alberto788

Good morning everyone and thanks to those who will help me :D

I have configured this scenario:

pfSense 2.6.0
LAN IP: 192.168.1.1/24
WAN IP: 1.2.3.4
OPENVPN SERVER IP: 10.0.200.1/24

I had to create an IPSec VPN to one of our customers which accepts only traffic coming from our LAN subnet 192.168.1.1/24 (their internal rules).
I need to make sure that users who connect via OpenVPN client to our network and then reach it with subnet 10.0.200.1/24 can reach the resources on the other end of the IPSec VPN.
I was thinking to mask all the traffic from network 10.0.200.1/24 to IPSec so that it shows up with IP 192.168.1.254.

I guess there is a need to configure an outbound NAT but I can't figure out how.
Can you help me?
Thank you very much!

viragomann

@alberto788
The IPSec phase 2 BINAT / PAT is meant to do this.

Add an additional p 2. Enter the OpenVPN tunnel network into the Local Network box.

Maybe you can limit the OpenVPN clients to a smaller subnet, so you can nat to whole tunnel network to an unused segment of your LAN.
Then you could select Network at NAT/BINAT translation and enter the translation network segment.

Otherwise you have to use a single address for all OpenVPN client. Then select Adress and state it in the next right box.

alberto788

Thank you for your response.
I set the p2 to use a single address for NAT/BINAT translation and it works perfectly!
Thank you!