Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSENSE/AZURE -Remote GW accepts only public IPs in encryption domain

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 953 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mbogoev
      last edited by

      Hi all, I need help about very strange scenario.
      I have VM with PFsense on Azure. My goal is to make IPSec site-to-site with a remote GW on-premise.
      You will say ok its easy :)
      I though so too.
      Iн Azure I have Vnets with other VMs that PFsense can put in the encryption domain and voala.
      But the hard comes when the other Remote GW cannot use private IPs.
      So somehow I have to put the Azure publlic IPs of those VMs in the encryption domain in the PFsense ph2 tunnel.
      Any idea ?
      Some NAT maybe ?
      Best Regards,
      Mladen

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        You mean because the pfSense in Azure has a private IP on it's WAN? It's behind NAT?

        Or the remote pfSense for some reason must use public IPs at Phase 2? What is that reason?

        Steve

        1 Reply Last reply Reply Quote 0
        • M Offline
          mbogoev
          last edited by

          Hi Stephanw, thanks for the reply!!!!
          THe pfsense is in Azure yes(VM inside the vnet where the VMs reside ) PFsense has public IP with whom i make tunnel with the remote GW.
          But yes the remote GW cant accept private ip addresses in the encryption domain. Somehow i have to put inside in ph2 the public IPs of Azure VMs. I guess PFsense can make some internal NAT for VMs private to public ip and put those public ip's in the encryption domain in ph 2 of the tunnel.

          Best Regards,
          Mladen

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Sure you can NAT the subnets in the phase 2 config so it appears to be a public IP/subnet to the other end:
            https://docs.netgate.com/pfsense/en/latest/book/ipsec/choosing-configuration-options.html#nat-binat-translation

            Steve

            1 Reply Last reply Reply Quote 0
            • M Offline
              mbogoev
              last edited by

              Thank you Stephanw , I will use NAT/BINAT translation in phase 2. :)
              Best Regards,
              Mladen

              M 1 Reply Last reply Reply Quote 0
              • M Offline
                marques.vixgmail.com @mbogoev
                last edited by

                Hi, @mbogoev.

                Can you told me if nat/binat solved your problem? I have the same problem with pfsense <-> fortigate. With pfsense <-> mikrotik, ipsec site-to-site works fine even without nat/binat.

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  You also are using public IPs in the P2 and NATing to them?

                  How is it failing? More info needed!

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.