NAT with IPSEC

nikkopegmail.com

Hi.
I have been trying to archieve 1:1 NAT trough IPSEC.
So what I have, is a working ipsec tunnel, with addresses between 192.168.10.0/24 and 10.10.10.0/24
Let's say that the 10.10.10.0 net is on pfsense end. I also have another net in pfsense, 10.10.20.0/24 and there I have a host .90. How could I NAT the traffic from 192.168.10.0 to 10.10.20.90 trough the ipsec tunnel, in cisco world this is called something like hide nat.
I know that it would be easier to add another phase two but sometimes this just is not possible. As in here the 10.10.20.0 net is already used in the other end.

br, petri

stephenw10

You can NAT the traffic across the tunnel in the IPSec P2 config so that the traffic still matches the policy at the other end.

But you would normally do that for the entire source subnet, so 10.10.20.X gets NAT'd to 10.10.10.X.

If you don't need to open connections the other way you could also NAT 10.10.20.X to a single IP in 10.10.10.X subnet that is unused and apply that as a second P2. Depending on what is on the other end that may still match and come up and it won't then conflict with traffic from the real 10.10.10.X subnet.

Steve

nikkopegmail.com

Thanks Steve !

Will try to to nat in P2.

cheers, pete