Mobile IPSEC and BINAT



  • We have a working Mobile IPSEC working on pfSense 2.3.2 but our internal subnet is unfortunately 192.168.1.0/24 so we run into issues and would like to utilize BINAT.

    This seemed very straight-forward based on the pfSense docs but so far hasn't seemed to have panned out.  We changed our working configuration to just add the BINAT subnet of 192.168.34.0/24 but it doesn't seem to help.

    We are using the Shrewsoft VPN client (free) and the odd thing we notice is that the route it provides to the client doesn't change.  It feeds it 192.168.1.0/24 not the BINAT subnet.

    Does anybody have a working Mobile IPSEC configuration using BINAT?



  • We tried manually working with 1:1 NAT to get around this as well but still haven't come to a resolution.  I would suspect this is a pretty common configuration so I'm surprised to not find any forum posts about this specific config.


  • LAYER 8 Netgate

    What is your local network in the phase 2 set to?



  • Our local network is set to 192.168.1.0/24 (the actual LAN) and the BINAT is 192.168.34.0/24 (what we would like to translate that subnet to).



  • Also, we did try flipping the local/BINAT subnets in case they were supposed to be the other way around but it didn't seem to help.



  • A few more things we have tried without success…

    • Adding a 1:1 NAT entry for this BINAT (this worked for OpenVPN but not IPSEC)
    • Changing NAT-T between Force/Auto

    Still no love no matter what.  We have to force add the routes on the Shrewsoft VPN client for the BINAT network and we can see the traffic coming into the IPSEC tunnel but no replies and no traffic hitting the LAN so it seems like NAT is not happening.  No entries in the firewall logs showing that this is blocked either.


Log in to reply