Problem with NAT on IPSEC for Networks not in Phase2

mario_b

Hello,

on my pfSense i had arround 7 different Networks connected and 2 IPSEC Tunnels.

So IPSEC Tunnel had Phase 2 with Remote Networks and ONE of my local Networks.
If i wan't to reache the Remote networks from the different Networks attached on the pfSens i had to make a OutBound NAT.

Example:
Remote - 172.16.1.0/24 (in real, there are around 17 Networks on that Phase 2)
Local1 - 192.168.1.0/24
Local2 - 192.168.2.0/24

Phase 2 on Ipsec is configured with 172.16.1.0/24 Remote and Local 192.168.1.0/24

All communication between 172.16.1/24 and 192.168.1/24 is working as expected.

But Servers in 192.168.2.0/24 must also reach someting in 172.16.1/24 - so i do a Outbound NAT on IPSEC Interface and NAT with an 192.168.1.x IP.

But this is still not working. I see the Packets from the Server comming on 192.168.2 Interface but Leaving on my PUBLIC !

I tested other direction by adding an 1:1 NAT on IPSEC, nat 192.168.1.200 to 192.168.2.200.

In that case i see the Packet comes via IPSEC Interface as an 192.168.1.200, leaves my pfSense Interface as 192.168.2.200, Reaches server, server answers, and the reply comes correctly on the 192.168.2. Interface and will be than routed to the Public and not back to the IPSEC Interface.

It seems the routing descision is made BEFORE NAT - and this causes all that Problem. Because before NAT he didn't know that this Packet must go to the IPSEC Tunnel.

How to solve that Problem correct ? At the moment i have a workaround - i added a Phase to with also 192.168.2 which is NOT Defined on the other side. So it never comes up BUT helps the pfsense to have the right routing decision.

Thanks for your help.

Regards Mario