IKEv2 Source NAT Configuration
-
Hey,
I built an IPsec tunnel to a remote site - connecting works absolutely fine. The connection for both P1 and P2 show that the connection is established.
Now comes the tricky part (at least for me...), I am tasked with NATing the outbound traffic from our clients to the remote part of the tunnel, so that the only IP the remote site (P2) interacts with is 10.144.144.78 , but I can not seem to get the connections to work. I am more experienced with OpenVPN, but unfortunately the customer requires the connection to be IPsec, which I do not have a lot of experience on.
The setup is supposed to be like this :
Any Client from my LAN -> NAT address -> Remote Subnet behind tunnel
192.168.104.0/24 -> 10.144.144.78 -> 10.64.0.0/16The configuration steps I tried are the following:
- Adding a virtual IP (10.144.144.78/32) as IP Alias on my WAN interface (tried LAN as well, but that did not work either.)
- Setting the P2 local subnet to 10.144.144.78/32 (pretty sure this might be wrong - but how do I do it?)
- Created an outbound NAT rule: (Source)192.168.104.0/24 (any) -> (Destination) 10.64.0.0/16 (any) -> NAT address 10.144.144.78
I am on pfsense 2.4.5. Any input is greatly appreciated, so thanks in advance!
-
Remove the VIP and the NAT rules.
In the IPsec P2, set:
- Local Network: Network,
192.168.104.0/24
- NAT/Binat Translation: Address, 10.144.144.78
Note that when you set that, the remote side will never be able to initiate connections back to you on 10.144.144.78, it will only work for outbound connections from 192.168.104.x to the remote side of the P2. The remote end will see a traffic source of 10.144.144.78.
- Local Network: Network,
-
That seems to have done the trick. Thanks a lot!