IPSec, policy routing, snat

  • Dear all!

    Long story short, I'm forced to use a /28 local subnet in the specific IpSec, but my LAN is /24 so I was not able to NAT on phase2, so I've created an OPT1 interface with /28.
    Now the IpSec is up and running, I'm able to use the tunnel with Diagnostic/Test port with the source address set to OPT1, but not with LAN

    I want to access the IpSec tunnel from my LAN addresses, preferable with sourcenat to one of the IP from OPT1.

    So let's asume:


    IpSec Remote subnet is:

    With source from LAN destination then it should go through the IpSec tunnel let say with

    I've tried Outbound NAT to translate the LAN address to OPT1 ( address, also policy routing without any success.

    Any hint is welcome.

    Best regards,

  • After some digging, I would say this is rather a NAT/routing issue than IPSec.

    Installing one more PfSense lets call it PF2 and the original PF1.

    Settings as follows:
    PF1(WAN): x.x.x.x

    PF2(WAN): (gw: (the OPT1 on PF1)

    On PF1 adding static route to Remote subnet ( with gw to (PF2).
    I'am able to access remote subnet from LAN on PF1.

    So accessing remote lan from PF1 LAN route is:
    PF1(LAN) –> PF2(LAN) --> PF2(WAN) --> PF1(OPT1) --> IpSec tunnel

    Everything is working as expected but doesn't seem right, is there a way to achieve the same functionality without involving PF2 ?

    I was also able to make it work with an OpenVPN server with /28 subnet, I could NAT on IpSec phase2 so OVPN clients access remote LAN, but not from LAN directly.

    Best regards.