MU.ti-site IPSec query

  • Hi,

    Hoping this is the right place and not the NAT forum.  Apologies if it is.

    A summary of what I have currently …

    I have my head office and a branch office, connected perfectly well via IPSec.  Both sites are running pfsense (v2.2.5).  Branch office can connect with head office resources no problem.

    I also have an IPSec tunnel form the head office to a 3rd party intermediary, which I use to gain access to a specific public IP address.  This address is only accessible via the 3rd party network.  After much grief and upset, the IPSec tunnel to the 3rd party was bought up and is now working fine.

    What I now need is to allow people in the branch office to access the public site as well, but this is not working.  Maybe the following will help to explain better ...


    Branch --> IPSec --> Head Office

    Head Office --> IPSec 3rd party --> public IP address


    Branch  --> IPSec -->  Head Office  --> IPSec 3rd party -- > public IP address

    To recap, branch to head office is fine, and head office to public IP address is also fine, but I cannot get traffic to flow from branch office to public IP address through the head office and 3rd party IPSec links.

    I'm reasonably sure I have got all the necessary routes in place on the IPSec tab on the firewall in the head office, but I cannot figure out what I have missed to get the full end to end connection to work.  I'm hoping that NAT is fine as I can get both sides of the connections to work independently.

    If I look in the logs on the head office firewall, I can see that a ping from the branch office is passed to the public IP address, which I think is the outgoing portion of the IPSec to the 3rd party, but I can't ever see anything returning.

    Any help or suggestions greatly received.


  • Maybe I could ask the question in a different way …

    The packets from the remote branch get to me over IPSec.  I then pass them to the 3rd party via IPSec also.

    At what point does NAT kick in ?  Do these packets get passed back onto the IPSec to the 3rd party having been NAT'ed or are they unNAT'ed ?

    If they are unNaT'ed, then I know that the 3rd party will need to add the branch office IP address range to the phase 2 setting on their firewall.  If it is NAT'ed as soon as it hits my firewall initially, then does it masquerade as my LAN address or some other IP subnet that I don't know.  Do the branch office packets actually go anywhere near my LAN or do they stay within the logical realm of IPSec, as per the firewall rules tabs ?

    Hope that makes sense to someone.

Log in to reply