Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT befor IPSec with VIP

    Scheduled Pinned Locked Moved
    NAT
    2
    3
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Matze 0
      last edited by

      Hi, several people have already had this topic, but the requirements and implementations do not fit my scenario.

      I have the problem that I have to convert to a NAT IP address in the LAN before I go into the VPN tunnel with the traffic. A simple VPN phase 2 with NAT is not enough for me, because I don't want to/can't give the clients new routes due to the network volume. So I have to work with existing networks, which inevitably leads to the need to assign a VIP.

      LAN1 Network (other Firewall) ->
      LAN2 Network in PFSense (with one VIP in this LAN2 Network) ->
      Portforward from VIP to IPSec Dest. Host ->
      Outbound NAT for transalte the LAN1 to LAN2 VIP IP

      The problem is that it does not work. If I address the VIP from LAN2, which belongs to the PFSense and the IPSec tunnel also has a Phase2 for it, everything works, the VIP routes the traffic into the tunnel (but according to the trace with my original LAN2 address instead of using the VIP LAN2 address). If I address the VIP from LAN1, I can't get through, I don't see any traffic running into the tunnel, but on the LAN interface I still see the traffic arriving correctly. So it seems to simply discard the packets, because instead of NAT it tries to communicate with the original IP (not defined in the IP Sec).

      I don't know what to do, the VIP is working. The VIP also works with port forwarding as long as my original sender is in LAN2 (identical network and a P2 in IPSec). As soon as I come from LAN1, no NAT seems to work, I have configured outgoing NAT. The VIP is entered as the translation IP, the source is LAN1 and the destination is the VPN end destination.

      Can the PFSense do what I have in mind here?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @Matze 0
        last edited by

        @matze-0 said in NAT befor IPSec with VIP:

        I have the problem that I have to convert to a NAT IP address in the LAN before I go into the VPN tunnel with the traffic. A simple VPN phase 2 with NAT is not enough for me, because I don't want to/can't give the clients new routes due to the network volume. So I have to work with existing networks, which inevitably leads to the need to assign a VIP.

        The BINAT / PAT style in the P2 is meant to do this exactly.
        There is no need to add an an additional tunnel on the remote site.
        BINAT can translate a single IP out of LAN1 or the whole subnet into a single IP within the LAN2 network.

        M 1 Reply Last reply Reply Quote 0
        • M
          Matze 0 @viragomann
          last edited by

          This is exactly what I had tried to do, as this has always worked in previous versions. However, I can configure this in whatever VPN tunnel, but it is not applied. The pfsense acts as if the P2 does not exist and I see that no NAT is applied. I can't find any error in the log files either. Doesn't anyone else have this problem, I can't imagine it. Especially since my configuration for the PFSense is now also not so very extensive.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.