Routed IPSEC and outbound NAT



  • I am working with a provider to set up a routed IPSEC tunnel on a pfsense 2.4.4 installation on AWS. We have the tunnel up and communicating and we can get traffic between the two devices. We would like to NAT outbound from our AWS VPC across the routed IPSEC tunnel using a different IP address.

    In this example, we have a private subnet 10.0.100.0/24 routed through as 172.16.9.192/32 using outbound NAT mapping when traversing the ipsec tunnel to IP address 10.200.200.200 host.

    In the documentation for routed IPSEC, it indicates:
    Firewall rule processing can be confusing, as mentioned in Routed IPsec Firewall Rules. This is still undergoing testing, but likely means that reply-to will not function. There are also known issues with NAT, notably that NAT to the interface address works but 1:1 NAT or NAT to an alternate address does not work.

    I would like clarification if this configuration will definitively not work or if there has been development since the release of the documentation that has changed.

    pfsenseoutboundNAT.PNG


Log in to reply