IPSec Overlapping Subnets

  • Have a client that has 2 locations both running Pfsense.

    Site A
    Site B

    It would be easier to just fix the subnets, but client wants to keep using /16 because of equipment w/ static IPs moving between the 2 locations.

    I have established an IPSec tunnel using x.x.20.0/24 and x.x.50.0/24 and able to get through to anything coded with a /24 subnet on both sides but can't get to anything with a /16 address.

    I've ready through the Pfsense book and searched on google, but I haven't found a good example on how to handle the NAT/BINAT to allow the traffic to pass.


  • @schulzie00 BINAT is not so hard. The only thing that you have to take into account is that, from the point of view of the remote site the remote net you have to supply is the one you have used in the binat field and not the original one onf the LAN interface, so your phase II configuration must use this later one and rules must apply with this.

    Apart from this take into consideration that there will not be any matching rules between local IP addresses (those in the LAN Net space) and binat addresses so the remote site clients would not be able to contact servers in the binat side unless you configure a NAT static translation too.

    Hope this helps.