Strange behaviour with an IPSec tunnel (site-to-site) and Outbound NAT

  • Hi there,

    I'm facing a strange phenomenon and do not currently have any clue how to get further there.
    Maybe one of you guys can help me here.

    Please let me describe my setup first.
    There are two networks: mine and the network of another company.
    I would like to access one (or a few) devices in the other company's network with each of my devices but I would like to hide my internal networking structure from them.

    My network consists of many devices with IP addresses in the range
    The network is connected to the internet using a router which must not build the VPNs.
    I added a pfSense ( to the router's DMZ ( which should take care of the IPSec stuff.

    The router has several connections:

    • one internet connection (some fixed IPv4 address)
    • one connection ( to the internal LAN (
    • one connection to the DMZ (as shown above)

    The pfSense is configured to make Outbound NAT so that all the packets coming from should have their source address rewritten to (This should make sure the external company does not see anything from my internal network structure.)

    The pfSense creates an IPSec tunnel to another pfSense in the other company's LAN. Let's say it has the IP address The remote network be
    The target device I would like to get access to is

    An example device PC1 ( in my internal network would now like to contact the target

    What works up to now:

    • the tunnel is up
    • the packets arrive at
    • they seem to come from (so the Outbound NAT seems to work fine, too)
    • ping works from
    • ping works from
    • ping works from

    What does not work:

    • ping from (just the other interface of the Internet router)
    • ping from

    In the last test (ping from I can see the packets arrive on
    Then they are sent back to the source address (which is NATted) and the packets get back through the tunnel until they arrive at my local pfSense ( and are not sent further anymore.
    It seems as if the pfSense "forgot" which NAT translation it made some milliseconds ago and now cannot match the packets to any entry in the NAT table.

    Does anyone have a clue what might be wrong here?
    (Btw., the same also happens when using TCP packets. A "telnet 80" produces the same results...)

    I know that it might be confusing what I just now wrote, but maybe the attached picture can help better understand my scenario...


    Best regards,

Log in to reply