IPsec with NAT between pfSense and Fortigate - no ping or access from both sides



  • We have an IPsec VPN tunnel with NAT between pfSense 2.3.4 and Fortigate up and running.

    The local networks are the same (overlapping), so we use NAT.

    pfSense is managed by us and Fortigate by a partner (who defined the tunnel configuration parameters).

    However, I cannot ping or access any features on both sides.

    I believe the problem is in P2, whose configuration is as follows (for example):

    pfSense
    Local Subnet: Network 10.0.0.0/21
    NAT Local Subnet: Address 172.140.50.2/32 (yes, public IP!)
    NAT Remote Subnet: Address 172.140.60.2/32

    For testing purposes, all traffic was opened in the IPsec interface at both ends.

    What can be missing or wrong?

    The use of public IP in NAT (I believe not)?
    The difference in size of Local "real" and NAT'ed networks?
    Should I use /24 on NAT'ed networks and create a 1:1 relation on both ends?
    Should I create a VIP with the NAT'ed IP of Local Subnet (172.140.50.2/32)?
    Should I create a static route for the NAT'ed IP of Remote Subnet (172.140.60.2/32)?

    Thanks in advance for your help.



  • @marcos-lang Could you please provide screenshots from your configuration and the ipsec status pages? Especially from SAD/SPD etc?

    The use of public IP in NAT (I believe not)? > This should work without problems.

    The difference in size of Local "real" and NAT'ed networks? > If you want to NAT your Local Network into a single ip you have to choose NAT/BINAT Type "Address" and NOT Network/32.

    Should I use /24 on NAT'ed networks and create a 1:1 relation on both ends? > No

    Should I create a VIP with the NAT'ed IP of Local Subnet (172.140.50.2/32)? > No

    Should I create a static route for the NAT'ed IP of Remote Subnet (172.140.60.2/32)? > No. Routing is ignored for IPSec