On IPsec and NAT again - SOLVED
-
I have a site to site IPsec tunnel:
| Remote LAN | Remote Gateway | | pfSense Gateway | Local LAN |
| 10.1.0.0/16 | Remote IP | <<=== >> | pfSense IP | 192.168.1.0/24 |The IPsec phase 1/2 goes well, the connection is established and the traffic flows between pfSense Gateway and Remote LAN clients (thanks to this: http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F)
Now I have the following problem: the local subnet address that I have to use in phase 2 isn't my real 192.168.1.0/24 but another one (for eg. 192.168.2.0/24 because it is imposed by remote restrictions that I can't change), so I have to translate addresses in some way.
I don't know whether this is possible or not, after reading some posts I suspect it isn't, but perhaps I'm wrong.
I tried several ways: virtual IP on LAN, firewall/NAT rules, outbound NAT rules, source NAT, but without luck :(Some guy has an idea on how to accomplish this task? Or, is it really not possible due to pf limitations?
Do I have to change my local LAN addresses? (this will be very expensive!)Thanks
-
Possible in 2.1, not in any earlier versions. Usual work around is to do NAT on one box, IPsec on another. Pre-2.1, they can't both be on the same system, IPsec happens before NAT can happen.
-
Thanks for the explanation.
For those who have the same problem, I've solved it with a workaround, for now.
I've:-
assigned a virtual IP (192.168.2.1) on LAN interface
-
set up apposite rules on firewall/NAT section (included Manual Outbound NAT)
-
added a new address (for eg. 192.168.2.5) on the network card of internal Windows machine and a new gateway 192.168.2.1 (with a higher metric than default to not interfere with the previous state)
-
in the Windows machine set up a new permanent route to 10.1.0.0/16 net via 192.168.2.1 gateway
It works!
-