Mobile IPSec to other IPSec tunnel with address translation
– Please disregard this, I'm using an OpenVPN-based solution now. --
I have the following configuration:
- LAN interface: 172.16.0.0/16
- IPSec tunnel, local 172.16.0.0/16, remote 192.168.100.50/32 (this is with a SaaS vendor, it cannot be changed)
- IPSec "Mobile Client", local 172.16.0.0/16, remote has virtual IPs in 172.17.0.0/24
Everything works, including DNS. I can ping 192.168.100.50 and mobile clients from LAN computers and I can ping LAN computes from mobile clients.
Now I'd also like to be able to ping 192.168.100.50 from mobile clients.
As a first step, I added a second phase 2 to the Mobile Clients phase 1, and this correctly routes packets from the mobile clients to the pfSense router through the VPN. But since the IPSec to the vendor is configured with 172.16.0.0/16 as a local network, the packets that arrive to pfSense from the mobile clients with destination 192.168.100.50 don't really make it through the SaaS IPSec VPN.
I tried adding 1:1 NAT from 172.17.0.0/24 to an unused portion of my LAN network (172.16.250.0/24) on the IPSec interface limited to destination address 192.168.100.50 (so that mobile clients packets look like they come from the LAN network) but it does not work.
So I'd like to get this working, and they I'd also like to try to get all of this working with BINAT on the SaaS IPSec tunnel, since I'd like to renumber the local network but the SaaS vendor isn't really cooperating.
Ok, I'm pretty sure I understand why the 1:1 NAT rule doesn't work: both IPSec tunnels run on the same virtual network interface, so the packets never go through the firewall.