PFSENSE/AZURE -Remote GW accepts only public IPs in encryption domain
-
Hi all, I need help about very strange scenario.
I have VM with PFsense on Azure. My goal is to make IPSec site-to-site with a remote GW on-premise.
You will say ok its easy :)
I though so too.
Iн Azure I have Vnets with other VMs that PFsense can put in the encryption domain and voala.
But the hard comes when the other Remote GW cannot use private IPs.
So somehow I have to put the Azure publlic IPs of those VMs in the encryption domain in the PFsense ph2 tunnel.
Any idea ?
Some NAT maybe ?
Best Regards,
Mladen -
You mean because the pfSense in Azure has a private IP on it's WAN? It's behind NAT?
Or the remote pfSense for some reason must use public IPs at Phase 2? What is that reason?
Steve
-
Hi Stephanw, thanks for the reply!!!!
THe pfsense is in Azure yes(VM inside the vnet where the VMs reside ) PFsense has public IP with whom i make tunnel with the remote GW.
But yes the remote GW cant accept private ip addresses in the encryption domain. Somehow i have to put inside in ph2 the public IPs of Azure VMs. I guess PFsense can make some internal NAT for VMs private to public ip and put those public ip's in the encryption domain in ph 2 of the tunnel.Best Regards,
Mladen -
Sure you can NAT the subnets in the phase 2 config so it appears to be a public IP/subnet to the other end:
https://docs.netgate.com/pfsense/en/latest/book/ipsec/choosing-configuration-options.html#nat-binat-translationSteve
-
Thank you Stephanw , I will use NAT/BINAT translation in phase 2. :)
Best Regards,
Mladen -
Hi, @mbogoev.
Can you told me if nat/binat solved your problem? I have the same problem with pfsense <-> fortigate. With pfsense <-> mikrotik, ipsec site-to-site works fine even without nat/binat.
-
You also are using public IPs in the P2 and NATing to them?
How is it failing? More info needed!
Steve
