Mobile IPSec to other IPSec tunnel with address translation

  • – Please disregard this, I'm using an OpenVPN-based solution now. --

    I have the following configuration:

    • LAN interface:
    • IPSec tunnel, local, remote (this is with a SaaS vendor, it cannot be changed)
    • IPSec "Mobile Client", local, remote has virtual IPs in

    Everything works, including DNS. I can ping and mobile clients from LAN computers and I can ping LAN computes from mobile clients.

    Now I'd also like to be able to ping from mobile clients.

    As a first step, I added a second phase 2 to the Mobile Clients phase 1, and this correctly routes packets from the mobile clients to the pfSense router through the VPN. But since the IPSec to the vendor is configured with as a local network, the packets that arrive to pfSense from the mobile clients with destination don't really make it through the SaaS IPSec VPN.
    I tried adding 1:1 NAT from to an unused portion of my LAN network ( on the IPSec interface limited to destination address (so that mobile clients packets look like they come from the LAN network) but it does not work.

    So I'd like to get this working, and they I'd also like to try to get all of this working with BINAT on the SaaS IPSec tunnel, since I'd like to renumber the local network but the SaaS vendor isn't really cooperating.

  • Ok, I'm pretty sure I understand why the 1:1 NAT rule doesn't work: both IPSec tunnels run on the same virtual network interface, so the packets never go through the firewall.

Log in to reply