IPsec P2 manual NAT possibility?

  • LAYER 8 Moderator


    we have the very "nice" situation, that we have to create an IPSEC tunnel with given parameters that aren't changable. Don't ask... it's a looong story but it breaks down to the configuration on the other side is given and worked (Cisco ASA) in the past, so should now work again 🙄


    • eight servers have to be reachable via IPSEC tunnel from a service provider
    • local side has a 172-style network with /16 netmask. Problem is: their servers are on .1 of various "subnets" e.g.,, etc. etc. so the servers aren't in a way "graspable" by a simple CIDR assignment.
    • remote side is completely fixated on handing us two IPSEC P2, each with a /30 IP assignment
    • They want to reach 8 servers (.80.1 - .87.1) via their 2x /30 netmasks which are some 10/x addresses ( and .128/30)

    In the old ASA times ASA config mapped those two /30 blocks as single IPs to the corresponding internal 172-style server IPs.
    With pfSense and in IPSec P2 GUI I only have the possibility to do

    • one host per IP (e.g. mapping, -> .81.1 to .125 etc.)
    • map network to network

    Both possibilities won't match the two P2s defined on the remote ASA by the service provider. As they can't change to config (internal reasons) and we need them to access the systems, we are in a bit of bind.

    Is it possible to define

    • two P2 phases with .124/30 and .128/30 as the "local" network to comply with their ASA
    • do some 1:1 NAT mapping to map .124 -> .80.1, .125 -> .81.1 etc and single them out?

    I tried that in a simple test setting and set it up first with a simple "local BINAT" setting in a lab to check, what NAT/RDR rules pfSense would create. Checked the test tunnel and could ping a target NATted that way. No surprise there.
    Then I removed the BINAT in Phase 2 and simply configured "local" and created a manual 1:1 rule that - checking in /tmp/rules.debug - is exactly the same as the other configuration above. But with that NAT rule, it wouldn't work. Filter rules with any to any etc. are in place as this was a simple lab test if it's possible at all.

    So the question: can I manually NAT the IPSEC Phase 2 to do some "crude" configuration that isn't possible to configure in the IPSEC P2 GUI like above? What were we missing? Do we need another NAT (outbound) or are the P2 routes the problem?

    Thanks in advance for any hint

Log in to reply