IPSec, policy routing, snat



  • Dear all!

    Long story short, I'm forced to use a /28 local subnet in the specific IpSec, but my LAN is /24 so I was not able to NAT on phase2, so I've created an OPT1 interface with /28.
    Now the IpSec is up and running, I'm able to use the tunnel with Diagnostic/Test port with the source address set to OPT1, but not with LAN

    I want to access the IpSec tunnel from my LAN addresses, preferable with sourcenat to one of the IP from OPT1.

    So let's asume:

    LAN: 10.0.1.0/24
    OPT1: 10.0.2.0/28

    IpSec Remote subnet is: 192.168.0.0/16

    With source from LAN 10.0.1.0/24 destination 192.168.0.0/16 then it should go through the IpSec tunnel let say with  10.0.2.1.

    I've tried Outbound NAT to translate the LAN address to OPT1 (10.0.2.1) address, also policy routing without any success.

    Any hint is welcome.

    Best regards,
      gimp



  • After some digging, I would say this is rather a NAT/routing issue than IPSec.

    Installing one more PfSense lets call it PF2 and the original PF1.

    Settings as follows:
    PF1(LAN): 10.0.1.1
    PF1(OPT1): 10.0.2.1
    PF1(WAN): x.x.x.x

    PF2(LAN): 10.0.1.2
    PF2(WAN): 10.0.2.2 (gw: 10.0.2.1) (the OPT1 on PF1)

    On PF1 adding static route to Remote subnet (192.168.0.0/16) with gw to 10.0.1.2 (PF2).
    I'am able to access remote subnet from LAN on PF1.

    So accessing remote lan from PF1 LAN route is:
    PF1(LAN) –> PF2(LAN) --> PF2(WAN) --> PF1(OPT1) --> IpSec tunnel

    Everything is working as expected but doesn't seem right, is there a way to achieve the same functionality without involving PF2 ?

    I was also able to make it work with an OpenVPN server with /28 subnet, I could NAT on IpSec phase2 so OVPN clients access remote LAN, but not from LAN directly.

    Best regards.


Log in to reply