Using public IP addresses for remote subnet and routing?



  • Hello!

    I have a bit of an issue with one of my IPsec configurations.

    My parent company has made a new service available for their own users and set up a VPN for us to get to it.
    The IPsec configuration at my end in P1 is a public IP and the P2 is a /30 with 4 public IPs.
    The IPsec connection itself between them and us is working and the tunnel is established but I cannot put any traffic through it.
    The difference between my working setup with private IP ranges in both remote subnets is, most likely, that the mother company uses public addresses for remote subnet.

    When I tell a computer in the LAN network to route its traffic towards the public /30 to pfSense's LAN interface, nothing happens.
    Or rather, what does happen is that pfSense decides it wants to route the public IP traffic towards its WAN gateway instead of through the IPsec tunnel.

    I believe I have looked in every nook and cranny but still haven't managed to find somewhere I can tell pfSense to use its tunnel first, before going to its WAN gateway and just send it over the internet.
    What am I missing here?



  • The problem appears to be solvable with BINAT in the IPsec phase 2.

    https://doc.pfsense.org/index.php/NAT_with_IPsec_Phase_2_Networks

    Under local network I have put my LAN addresses.
    In the NAT/BINAT configuration I have put my external IP, which the other end sees.
    In remote network I have put the public /30 addresses.

    Something was not entirely right in the other end, will have to wait for them to get back.