IPSEC VPN WITH NAT S2S



  • Hello everyone!

    First of all thank you for your help !!!

    I am new to PFSense and need to configure an S2S VPN.

    My scenario is as follows:

    I am on the 172.16.0.0/16 network, I need to connect to the 192.168.200.0/24 network but the client has a NAT configured and so I need to leave with the ip 192.168.249.29 ...

    I was wondering how should I do this NAT, could you help me with this?


  • LAYER 8 Moderator

    @flimadigital said in IPSEC VPN WITH NAT S2S:

    I am on the 172.16.0.0/16 network, I need to connect to the 192.168.200.0/24 network but the client has a NAT configured and so I need to leave with the ip 192.168.249.29 ...

    What has your client's NAT configuration to do with a S2S tunnel you want to setup between 172.16.0.0/16 and 192.168.200.0/24? Does the client have 172.16.0.0/16 in use so you have to use some NAT or what's the reason? And what is that 192.168.249.29 address for?
    Could you please elaborate?



  • @JeGr said in IPSEC VPN WITH NAT S2S:

    192.168.249.29

    Exactly! The client uses this 172.16 network, so I need to reach the client with IP 192.168.249.29. This ip has a configured NAT that takes everything from 192.168.249.29 and plays to the network 192.168.200.0/24


  • LAYER 8 Moderator

    @flimadigital said in IPSEC VPN WITH NAT S2S:

    This ip has a configured NAT that takes everything from 192.168.249.29 and plays to the network 192.168.200.0/24

    I don't exactly understand what you mean by this but I assume the client wants your clients to connect via a single IP (192.168.249.29) so it can create firewall rules accordingly. To do that, you have to NAT your connection in your phase 2 settings.

    Your clients P2:

    • local network: 192,168.200.0/24
    • remote network: 192.168.249.29/32
      etc. etc.

    Your own P2 setting:

    • local network: 172.16.0.0/16
    • NAT setting enabled with "address" selected: 192.168.249.29 (/32)
    • remote network: 192.168.200.0/24

    Hope that clears it up and I understood correctly that you want to NAT to a single IP.


Log in to reply