Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec, policy routing, snat

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 649 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gimp
      last edited by

      Dear all!

      Long story short, I'm forced to use a /28 local subnet in the specific IpSec, but my LAN is /24 so I was not able to NAT on phase2, so I've created an OPT1 interface with /28.
      Now the IpSec is up and running, I'm able to use the tunnel with Diagnostic/Test port with the source address set to OPT1, but not with LAN

      I want to access the IpSec tunnel from my LAN addresses, preferable with sourcenat to one of the IP from OPT1.

      So let's asume:

      LAN: 10.0.1.0/24
      OPT1: 10.0.2.0/28

      IpSec Remote subnet is: 192.168.0.0/16

      With source from LAN 10.0.1.0/24 destination 192.168.0.0/16 then it should go through the IpSec tunnel let say with  10.0.2.1.

      I've tried Outbound NAT to translate the LAN address to OPT1 (10.0.2.1) address, also policy routing without any success.

      Any hint is welcome.

      Best regards,
        gimp

      1 Reply Last reply Reply Quote 0
      • G
        gimp
        last edited by

        After some digging, I would say this is rather a NAT/routing issue than IPSec.

        Installing one more PfSense lets call it PF2 and the original PF1.

        Settings as follows:
        PF1(LAN): 10.0.1.1
        PF1(OPT1): 10.0.2.1
        PF1(WAN): x.x.x.x

        PF2(LAN): 10.0.1.2
        PF2(WAN): 10.0.2.2 (gw: 10.0.2.1) (the OPT1 on PF1)

        On PF1 adding static route to Remote subnet (192.168.0.0/16) with gw to 10.0.1.2 (PF2).
        I'am able to access remote subnet from LAN on PF1.

        So accessing remote lan from PF1 LAN route is:
        PF1(LAN) –> PF2(LAN) --> PF2(WAN) --> PF1(OPT1) --> IpSec tunnel

        Everything is working as expected but doesn't seem right, is there a way to achieve the same functionality without involving PF2 ?

        I was also able to make it work with an OpenVPN server with /28 subnet, I could NAT on IpSec phase2 so OVPN clients access remote LAN, but not from LAN directly.

        Best regards.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.