Set up IP-Sec tunnel with NAT
-
Hi,
I am about to set up a IP-Sec tunnel with overlaping networks.
What is the best way to do this?
I'm going to set up an ip-sec tunnel in pfSense with overlapping networks in the tunnel. What is the best way to do this? Have done this in Juniper but can't figure out how to do the equivalent in pfSense. Example, I have 10.12.0.0/16
192.168.88.0/24
10.11.0.0/16 in my network.
The overlapping network is 10.11.0.0.
And the other side wants me to NAT to 172.28.120.0/24, 172.16.209.0/24, 172.28.118.0/24, 172.28.117.0/24,
with address 172.27.12.160/27 from my side. Is this possible? And if so how? -
@larsa said in Set up IP-Sec tunnel with NAT:
I am about to set up a IP-Sec tunnel with overlaping networks.
What is the best way to do this?
Changing one of the networks.
Have done this in Juniper but can't figure out how to do the equivalent in pfSense.
NAT/BINAT in the phase 2.
Example, I have 10.12.0.0/16
192.168.88.0/24
10.11.0.0/16 in my network.
The overlapping network is 10.11.0.0.
And the other side wants me to NAT to 172.28.120.0/24, 172.16.209.0/24, 172.28.118.0/24, 172.28.117.0/24,
with address 172.27.12.160/27 from my side. Is this possible? And if so how?You can only nat one network to another one of the same size. Hence if you want to nat 10.11.0.0/16 you can replace it with 172.27.0.0/16.
With the given /24 subnets, you can only nat parts of your 10.11.0.0/16.To nat 10.11.1.0/24 to 172.28.120.0/24 for instsance, in the phase 2 just enter:
local network: network > 10.11.1.0/24
NAT / BINAT: network > 172.28.120.0/24So the remote site needs a rule for 172.28.120.0/24 to talk with your 10.11.1.0/24.
-
I was wrong 10.10.6.0/23 is the overlapping network. That should NAT to 172.28.120.0/24, 172.16.209.0/24, 172.28.118.0/24, 172.28.117.0/24 with address 172.27.12.160/27 from my side
