Mobile client/site-to-site VPN tunnel NAT issue



  • !!! See below -- I ended up using a different solution to get this sorted out.

    Hi everyone,

    I am trying to add configuration to an existing pfsense appliance we've had working for quite awhile as a run-of-the-mill VPN gateway for one of our developer teams. Specifically, we want to allow dev team members to access this remote client network when working from home.

    I am having trouble getting the mobile clients access to the remote client network. The remote client network I have no control over their end of the tunnel and its configuration, so we have to get our mobile clients connected from our end, and then have the pfsense gateway facilitate connectivity between the mobile clients and the remote client network.

    On our end, local clients connected from within the office are on network 192.168.173.0/24. Mobile clients are given addresses from virtual IP pool 172.20.60.0/24. NAT automatically creates rules for the mobile client network so traffic from the mobile clients is NAT'd down to the LAN address of the pfsense appliance itself, or for outbound to the internet, the WAN address. Internet connectivity and access to the 192.168.173.0/24 network is working fine for mobile clients. However, access to the remote network is not working quite right.

    If I ping a host on the remote client network (say, 10.10.200.2) as a mobile client, the traffic I see looks like this:
    172.20.60.1 -> NAT translated to 192.168.173.9 (the pfsense appliance LAN address)
    192.168.173.9 icmp ping to 10.10.200.2
    10.10.200.2 icmp ping reply to 192.168.173.9

    And then that's it. The traffic goes no further. It doesn't disappear out the WAN or LAN interface seemingly mis-routed anywhere else, nor do I see any further progression on the IPsec interface when doing packet captures.

    The tunnel to the remote client network only expects traffic from us via the 192.168.173.0/24 network. So this add-on to support mobile clients, without having the client modify their end of the tunnel, requires that the mobile client traffic appears to come from the 192.168.173.0/24 network. As such I can't change the NAT to simply route mobile clients directly over the site-to-site VPN tunnel and expect it to work.

    I've combed over a few like examples here on the forums to find a solution but I can't seem to find the right one for my use case. Does anyone have any suggestions? I can provide specific configuration info if you need it.

    Thank you.



  • Ultimately what I ended up doing here was taking the 192.168.173.0/24 network, throwing it out, and using NAT in the phase 2 rules for the site-to-site tunnel such that remote clients on the 172.20.60.0/24 network and those on the newly christened 192.168.75.0/24 network will simply appear as one peer to the remote end -- 192.168.173.10

    This was enough to get my remote clients and local clients talking to the end of the tunnel I cannot control. It matters not to me if the traffic appears to come from one address, although it would have been better to not have to tear down an entire network to make it work.

    Anywho, I consider this worked around.


Log in to reply