Asymmetric routing problem with 1:1 NAT and IPSEC VPN



  • Hello,
    I'm having trouble using 1:1 NAT with an IPSEC VPN. My setup is the following:

    • The VPN's phase 2 is 10.0.44.0/25 (remote) / 10.0.44.128/25 (local)

    • I Configured a 1:1 NAT from 10.0.44.129 to a LAN IP: 192.168.xx

    When I ping 10.0.44.129 from the remote side of the VPN, I can see that the packet arrives on the LAN interface and is sent to the 192.168.xx server which replies to me (10.0.44.1).
    However, this packet is then sent to the WAN interface instead of the IPSEC one, as I noticed using tcpdump.

    Is that an expected behaviour? What can I do to fix this?

    I'm running pfSense 2.2.4.


  • Netgate

    Their phase 2 should be: 10.0.44.0/25 (them) / 10.0.44.128/25 (you)

    Your phase 2 should be: 192.168.xx (you) / 10.0.44.0/25 (them)

    I'm running pfSense 2.2.4.

    You should seriously consider upgrading.



  • The thing is I want to be able to NAT several addresses to different networks without having to create a separate phase 2 for them. Is that not possible?
    As for the update, I've been meaning to do it it but I haven't had an opportunity to schedule it yet…


  • Netgate

    The thing is I want to be able to NAT several addresses to different networks without having to create a separate phase 2 for them. Is that not possible?

    Probably not but without some examples of what you want to do that's kind of a guess.



  • Well I'd like to have 10.0.44.129 pointing to 192.168.10.1 in VLAN 10 and 10.0.44.130.11.1 pointing to 192.168.11.1 in VLAN 11, is that possible?
    I don't want to add a phase 2 for 192.168.10.0/24 and one for 192.168.11.0/24 since I would like to avoid creating many phase 2.


  • Netgate

    You will need a phase 2 or IPsec will not be interested in traffic from 192.168.11.1.



  • How come I can do that on Fortinet for instance? I just create my IPSEC VPN with the 10.0.44.128/25 P2 and a VIP 10.0.44.129, make it point to an IP from any local network and it works.
    Is this behaviour non-standard? I guess I could use OpenVPN instead, right?