IPSEC Routing & NAT - Unable to get it right

  • Hi all,

    First of all I would like to mention that I am not a network expert. I work for a startup and as resources are still limited, I volunteered to give it a go, so apologies upfront if I say something stupid.

    So how does our setup look like at this moment:

    • Site A is our side
    • Site B is customer side (that we don't control)
    • An OpenVPN server is configured to have access to our LAN in Site A
      • This is in place & working as I access the pfsense webgui from there
    • An IPSEC tunnel between us & the customer is established
      • So we have a connected status, but are unable to get traffic through the tunnel


    What do we try to accomplish in this phase?

    • We try to RDP from our OpenVPN client (eg: to the remote customer
    • Once this works, we need to work the other way around. Where the host should be able to access the server at 192.168.0.x/24.

    What have we configured?

    • A route to is pushed into the route table of the OpenVPN client
    • A firewall rule was added to allow any traffic from to any destination
    • An outbound NAT rule is created to translate traffic from to into subnet nat address (the remote only allows traffic to/from the subnet)

    Important note: Our next customer would like to have a similar setup, but requires us to use a public IP in the encryption domain. So I think the setup should be similar for them, just the NAT rules should be different. Would this be a correct assumption?

    Any advice/hints on what we should adapt/check to get this up and running?
    Issues I could think off (but we are just not experienced enough to get it right):

    • Missing/wrong routes/firewall rules
    • Wrong NAT config (outbound nat rules and/or phase NAT/BINAT)
    • Mixed use of & in config

    Some relevant (I believe) config screenshots:
    Note: No BINAT/NAT configured

    Note: Although disabled, this rule is enabled while testing (config varies while testing off course :)).
    Note2: The removed "NAT address" alias is posted below this image. (Round Robin with Sticky address)

    Note: An allow all on lan exists also at the time

Log in to reply