NATted through IPSec



  • Hi !

    pfsense has 192.168.0.1/24 on my lan, clients usw 0.2, 0.3 and so on.

    I had to setup a IPSec tunnel to a remote side for a special application the users need.
    tunnel is up and working, ips:

    My net :172.25.99.64/28 Remote net: 172.25.0.0/18.

    For this to work I had to set up a second IP on my lan interface with 172.25.99.65 and currently I`m giving the
    clients in my lan also an ip i.e. 172.25.99.66 .99.67 and so on for making them connect to the remote net.

    Now I want to leave the clients with one LAN IP, so 192.168.0.100 i.e. and have this natted over to the remote net
    as 172.25.99.65.

    I`ve tried to add a static rule but when I ping from a client in the 192.168.0.x net pfsense replys with "TTL exceeded".

    Does anyone have an idea how I can get my local clients on LAN natted over to the remote net ?



  • There was a bounty posted for this feature:

    http://forum.pfsense.org/index.php/topic,14650.0.html

    But seems to have just about nearly petered off due to lack of interest…



  • Hmm interesting.. I wonder that there is so little interested for that.. Should be a main feature, as I have no chance of changing my or the other subnet.

    So for my understanding, this is my current sainfo in racoon.conf:

    sainfo address 172.25.99.64/28 any address 172.25.0.0/18 any {
            encryption_algorithm rijndael 256;
            authentication_algorithm hmac_sha1;
            compression_algorithm deflate;
            pfs_group 2;
            lifetime time 86400 secs;
    }

    everything I'd need to do is to add something like this below ? :

    sainfo subnet 192.168.0.0/24 any address 172.25.0.0/18 any
    {

    }

    Or am I thinking wrong here ?



  • @hessie:

    I wonder that there is so little interested for that.

    I think there's a lot of interest in NAT VPN but those of us who are interested don't bother posting. We look to see if it is supported and if not we call up and order a router that has it. "natip" as Fortinet uses it is an essential feature for getting into big installations where conforming is not an option. I have no chance of dictating policy to large companies.

    Fortinet Outbound NAT examples


Log in to reply