NAT server IPs into IPSEC subnet

  • At a site I have the following situation:

    customer bought the company, right now transition phase: server LAN untouched and not yet under our administrative control.
    We created a new client LAN: pfsense with OPT1 in server LAN, they added a route, new Thin Clients access servers. Works.

    On pfsense there exist IPSEC-Tunnels, one of them connected to a remote service provider. This tunnel only routes the one subnet that we now use as LAN.
    The remote provider refuses to add a 2nd phase2-definition to the tunnel.

    Now I have to prepare for day X when the servers data has to be transferred to that provider. Right now I can't copy data from the servers directly to the remote site (at least I think so, I don't have access to the servers yet).

    We thought of some NATting on pfsense: rewrite the servers adresses on OPT1 when they should leave via IPSEC interface.

    Do I think too complicated, what is the best way to connect server LAN to remote IPSEC site without being able to route the server LAN itself via IPSEC?

    Thanks for any pointers, Stefan

  • trying a test while users are away for the weekend ;-)

    I assume I would have to use a 1:1 SNAT ?

    Trying to get a ping to work from the pfsense to the OPT1 LAN via a mapped IP.

    The server in the OPT1-LAN has

    I want to map it to in the LAN.

    Trying the 1:1 rule on various interfaces but I don't get a ping back.

    What do I misunderstand here?

Log in to reply