[UNRESOLVABLE] ]IpSec and 1:1 NAT with different subnet size

  • For days I am completely stuck with the following situation:

    local-pfSense                                   Amazon remote-IPsec
    ****   <=== IPsec (main mode) ===>   ****

    Of course there is the need to add 1:1-NAT in IPsec-Phase-2

    _Mode:_                   Tunnel IPv4
    _Local Network:_          LAN subnet
    _NAT/BINAT translation_   Network
    _Remote Network:_         Network

    Is this correct so far?


    • Tunnel is up

      | Source | Destination | Direction |
      | | | |
      | | | >Outbound |

      The last one seems a little bit weird to me…

    • No traffic through tunnel

    • Firewall is open for ICMP - no block log entries

    • No Additional Routing, Gateway, NAT configured (except to for WAN)


    • remote@$ ping
      pfSense Packet Capture on ipSec-Interface

      IP > ICMP echo request,
      IP > ICMP echo request,

      No other traffic; no responses;

    • local@$ ping
      pfSense Packet Capture on LAN-Interface

      IP > ICMP echo request,
      IP > ICMP echo request,

      No other traffic; no responses;

    • Finally pfSense Packet Capture on WAN-Interface: (seems legit to me)

      IP > ICMP echo request,
      IP > ICMP echo request,

      But also no responses.

    Please help me to solve the knot in the brain. Any ideas? Missunderstanding by me about NATing?

  • I recognized that the scenario desribed above is NOT possible without changing the Network on at least one side.

    Reason: 1:1 NAT is necessary on both sides, but not available on Amazon side for hardware-VPN

    As described here:

    Real Life Example

    So what is it all about. Let us start with a picture and some explanations. What do we have?

    ACME company with internal subnet has an existing tunnel to another company with subnet The firewall therefore will route all packets with destination into the existing tunnel.
    Our OpenWrt user at home has already a IPsec VPN connection too. The OpenWrt firewall protects his network and routes all traffic to towards the established tunnel to another company.
    When establishing a new tunnel between home and ACME without address translation we would run into routing conflicts. E.g. if we want to reach the server from home it could either be a machine in the ACME network or in the others company network.

    What to do? Both firewall adminstrators have to choose IP address ranges for the new tunnel that do not overlap with the existing infrastructure. In our case:

    The ACME administrator chooses to "hide" the remote home network behind the subnet So when someone from ACME company wants to reach the newly conected home network he has to take on of those addresses instead of the real ones in range
    The same applies for the home user. He does not want to reach the ACME network with its real IP addresses but changes the target range to
    That means each of both sides determines the remote part of the tunnel subnets.
    Let us look at the packet flow and see where address translation has to occur. Let us assume we want to reach ACME mailserver on address from our laptop with address

    We cannot use the mailservers real address but have to choose instead. You can see that the lower part of the IP will match the original address while the higher is taken from the translated subnet.
    The laptop sends a packet with header→
    The OpenWrt firewall has to translate the source address into one that can safely pass the tunnel. Again it will only translate the higher digits. The header will become→ If not sure why 2.77 is converted to 3.11 you just have to check the last bits of the home netmask …11000000. Only the last 6 bits will be retained.
    The packet is sent into the tunnel.
    When it reaches the ACME firewall it will be translated again. This time the destination address will be mapped over to the real addresses. The header will be changed to→
    The answer packet of the mailserver will travel this chain backwards.

    And and Amazon:

    Q. How do I connect a VPC to my corporate datacenter?

    Establishing a hardware VPN connection between your existing network and Amazon VPC allows you to interact with Amazon EC2 instances within a VPC as if they were within your existing network. AWS does not perform network address translation (NAT) on Amazon EC2 instances within a VPC accessed via a hardware VPN connection.

Log in to reply