outbond NAT on IPSec

kloy

Hello,

I have a client who has 4 business center with mulitple companies sharing the same internet connexion :

• Each of them uses Vlan (about 50 par site) to permit internet access, but deny companies to see each-others.

• Each company use 1 VLAN with a 17.16.X.*/24 subnet and the pfsense of each site as a local vlan addres like 172.16.x.1 ...

• One of the problem is that the different sites uses the same global network 172.16.0.0/16 and 2 sites can have the same subnet alocated ( for exemple 172.16.100.* is used on 2 sites) As they are not interconnected via VPN, all this works perfectly ...

Until they decide to use a VOIP IPBX hosted in a datacenter !

The VOIP provider ask to buid a IPSec VPN on each site to the hosted solution. (ipv4 tunnel). On his side, his local network is 10.0139.1/24...

my first choice was to tell the client that he 'll need ton reconfigure his local vlan ip addresses to separate each network. for exemple
172.16.x.x, on site 1
172.17.x.x, ont site 2 ect...
it seems to be difficult for him, the are shared printer and he doensn't want to reconfirgue hundreds of devices.

ive tryed to do S-NAT so that all the datagram comming from those different VLANs can be seen a 1 ip like we do on classical internet connexion, but on the IPsec connexion...

For exemple
On site 1 :

• Mounting the IPSec phase 2 so that it announce 172.16.0.1/24 as the local networks
• SNAT all the Vlan from site 1 via outbound NAT over IPSec so that the remote site in the datacenter see only 172.16.0.1 Ip address arriving on his side.

On site 2 :

• Mounting the IPSec phase 2 so that it announce 172.16.1.1/24 as the local networks
• SNAT all the Vlan from site 2 via outbound NAT over IPSec so that the remote site in the datacenter see only 172.16.1.1 Ip address arriving on his side.
  ect...

As the connexions will only be initiated from inside, there shoud be no problem...

I've tried this, but i can ping the remote network from the right vlan, (the one annonce as local networks on my box), but it dosen't works from other vlans...
i've put a outbond NAT on IPSec interface
telling him to NAT all trafic to 10.0.139.*
SNAT with the network interface -> it doesn't worked

I don't know wich IP address i should use there, i have made plenty of test, 1 local IP from the VLAN, one Virtual IP, IPSec Phase 2 according to this config, the Snat doesn't work...

Do you have any idears ?

Nico

viragomann

@kloy
You can do NAT 1:1 in IPSec to masquerade a whole subnet with another one. But this has to be done within the IPSec phase, and you will have to translate both sites to get bidirectional communication.
Other NAT rules on pfSense don't work with IPSec.

For instance, both have the same LAN, which should be able to connect to each other:
site 1: 172.16.0.0/24
site 2: 172.16.0.0/24

So you configure the phase 2:
site 1:
local: 172.16.0.0/24
NAT/BINAT translation: 172.16.1.0/24
remote: 172.16.2.0/24

site 2:
local: 172.16.0.0/24
NAT/BINAT translation: 172.16.2.0/24
remote: 172.16.1.0/24

Then site 2 has to use 172.16.1.0/24 to access site 1, i.e. to access 172.16.0.10 on 1 from 2 use 172.16.1.10.
And site 1 has to use 172.16.2.0/24 to connect to 2.

You can also nat to a single IP by selecting address for the type at NAT/BINAT translation, but this works for outbound connections only. There would no possibility to access any IP from the remote site then.