Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC Routing & NAT - Unable to get it right

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 222 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kevinv
      last edited by kevinv

      Hi all,

      First of all I would like to mention that I am not a network expert. I work for a startup and as resources are still limited, I volunteered to give it a go, so apologies upfront if I say something stupid.

      So how does our setup look like at this moment:

      • Site A is our side
      • Site B is customer side (that we don't control)
      • An OpenVPN server is configured to have access to our LAN in Site A
        • This is in place & working as I access the pfsense webgui from there
      • An IPSEC tunnel between us & the customer is established
        • So we have a connected status, but are unable to get traffic through the tunnel

      pfsense.PNG

      What do we try to accomplish in this phase?

      • We try to RDP from our OpenVPN client (eg: 10.0.8.2/24) to the remote customer 172.26.194.246/24
      • Once this works, we need to work the other way around. Where the 172.26.194.246/24 host should be able to access the server at 192.168.0.x/24.

      What have we configured?

      • A route to 172.26.194.246/24 is pushed into the route table of the OpenVPN client
      • A firewall rule was added to allow any traffic from 10.0.8.0/24 to any destination
      • An outbound NAT rule is created to translate traffic from 10.0.8.0/24 to 172.26.194.246/32 into subnet nat address 192.168.101.8/29 (the remote only allows traffic to/from the 192.168.101.8/29 subnet)

      Important note: Our next customer would like to have a similar setup, but requires us to use a public IP in the encryption domain. So I think the setup should be similar for them, just the NAT rules should be different. Would this be a correct assumption?

      Any advice/hints on what we should adapt/check to get this up and running?
      Issues I could think off (but we are just not experienced enough to get it right):

      • Missing/wrong routes/firewall rules
      • Wrong NAT config (outbound nat rules and/or phase NAT/BINAT)
      • Mixed use of 172.26.194.246/24 & 172.26.194.246/32 in config

      Some relevant (I believe) config screenshots:
      Note: No BINAT/NAT configured
      pfsenseIPSECConfig.PNG
      pfsenseAllowIPSEC.PNG
      pfsenseIPSECStatus.PNG

      pfsenseAllowOpenVPN.PNG
      pfsenseOpenVPNPushRoute.PNG
      Note: Although disabled, this rule is enabled while testing (config varies while testing off course :)).
      Note2: The removed "NAT address" alias is posted below this image. (Round Robin with Sticky address)
      pfsenseOutboundNat.PNG
      pfsenseOutboundNat2.PNG

      Note: An allow all on lan exists also at the time
      pfsenseAllowLAN.PNG

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.