NAT / IPSec - Several sites interconnection puzzle



  • Hello,
    I have the following scenario and I’m completely stuck on how to solve this puzzle. I’ll try to simplify the case and stay macro as the bellow topology cannot be changed because of business restrictions.
    We have two LANs in two different sites. SITE 1 and SITE 2 are connected through these two firewalls, FW1 and FW2 using an IPSEC tunnel. All routing works just fine, both sites can communicate seamless.

    SITE 1: 10.100.1.0/24
    Default Gateway: FW1 - 10.100.1.1 (full internet connectivity)
    This is an old IPCOP and can’t be upgraded/changed/substituted at the moment.

    SITE 2: 10.99.1.0/24
    Default Gateway: FW2 - 10.99.1.1 (full internet connectivity)
    PFSense 2.4.4

    So this is my present scenario and it works well.

    0_1541008815983_VPN Scenario-Page-2.png

    Now we need to provide a client access to a resource on SITE 2 through an IPSEC tunnel and this tunnel needs to stay on SITE 1 for business reasons. For several reasons the client can’t establish the VPN connection with the IPCOP so I added another firewall to the scenario (FW3).
    So now we have this scenario.

    0_1541008931666_VPN Scenario-Page-3.png

    As this is the first time I deal with case like this, I'm very confused with the options and how to achieve this with PFSense.

    I’m trying to have the packets arriving SITE 1 through the tunnel established between the client and FW3 to have some kind of source NAT so they can “belong” to the network 10.100.1.0/24 so they could be routed seamless to SITE 2. Is this possible? What is the best practice (if there is one) for this case? How FW3 should be configured for this scenario?
    FW1 is almost immutable, so the chances to have something changed there are very small.
    I really appreciate your help.
    Regards,
    Bruno



  • Any one?