VPN site-to-site problem with NAT



  • Hello.
    For a Vpn site-to-site ipsec/3des (local side) PfSense 1.2 against (remote side) Cisco Router: the remote side requirement is that all packets coming from my Local lan have to be nat´ed to a fixed ip address/32
    Already made test nat´ing all Lan Subnet to a Virtual IP (the permitted by remote site) but Ipsec tunnel could´nt be established properly

    • if it is possible, how can I configure Pfsense?
      -is it possible to get tunnel established if I make an outbound NAT of All my Lan subnet to a vrtual IP ?

    :-[

    Thanks a lot.



  • Did i understand you correctly that you want to NAT into the VPN tunnel?
    This is currently not possible.



  • @GruensFroeschli:

    Did i understand you correctly that you want to NAT into the VPN tunnel?
    This is currently not possible.

    Thanks for your quick response.

    Thing is that was my first test and approach, if it is not possible doing nat, what do you suggest me
    taking in consideration that remote side only bring up tunnel and permit access if source packets comes with a fixed given ip address x.x.x.x/32



  • I had the same problem. I solved in another (very unclean and unsecure) way.
    Just now I were looking around for some suggestion :-(

    Anyway, this is my solution:

    You keep in your LAN a PC with the fixed IP address and choose netmask and gateway
    (eg 10.1.1.1/30 gw 10.1.1.2).
    Assign the gw IP as the first address of the firewall LAN interface.
    Assign to the same interface a second IP address for others LAN client, and configure firewall and nat rule accordingly (looking around you can find a step by step document about).
    Create the tunnel as usual, then you can connect (only) from the PC to the remote LAN.

    Ugly but working.
    If someone have a better idea….


Locked