Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hello. I need to access a remote IPSec Phase 2 network from VLAN interface using routing

    Scheduled Pinned Locked Moved IPsec
    8 Posts 2 Posters 681 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • gribfkG
      gribfk
      last edited by gribfk

      Hello. I need to access a remote IPSec Phase 2 network from VLAN interface using routing

      PFSense gateway configuration:
      	VLAN1 192.168.1.0/24
      	VLAN10 192.168.10.0/24
      
      IPSec Phase 2:
      	Local network: VLAN1 Net
      	Remote network: 172.16.0.0/16
      

      I need to access the 172.16.0.0/16 network from VLAN10.

      Attempts to configure outbound NAT to change the source address to 192.168.1.0/24 were unsuccessful, although similar NAT rules work to grant access to resources from VLAN10 to VLAN1

      Any ideas how to fix the problem?

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @gribfk
        last edited by Konstanti

        @gribfk said in Hello. I need to access a remote IPSec Phase 2 network from VLAN interface using routing:

        192.168.1.0

        Hi
        you need to create an additional phase-2 with these settings

        76eb65f4-c066-4d51-bd6a-d8c467d28ccf-image.png

        gribfkG 1 Reply Last reply Reply Quote 1
        • gribfkG
          gribfk @Konstanti
          last edited by

          @Konstanti thank you, i know about this, but in this case i need to create additional phase-2 on both sites, but remote sites does not support additional phase-2 settings, so i'm looking for NAT/routing solution.

          K 1 Reply Last reply Reply Quote 0
          • K
            Konstanti @gribfk
            last edited by Konstanti

            @gribfk

            No, since you use NAT / Binat translation in the additional phase-2 settings, you don't need to change anything on the other side of the tunnel

            0a06cefa-5c89-4679-8cf8-70f07a76b654-image.png

            gribfkG 1 Reply Last reply Reply Quote 1
            • gribfkG
              gribfk @Konstanti
              last edited by gribfk

              @Konstanti unfortunately, not working. i guess, i'm doing something wrong. Maybe is necessary to create additional outbound NAT rules (i'm using manual mode)?

              K 1 Reply Last reply Reply Quote 0
              • K
                Konstanti @gribfk
                last edited by Konstanti

                @gribfk
                Outbound NAT rules do not work for an ipsec tunnel. Try using the address 192.168.1.1/32 instead of 192.168.1.0/24 ( Nat/binat translation )
                and check if the 192.168.10.0/ 24 network has access to the remote network 172.16.0.0/16 in firewall settings

                gribfkG 1 Reply Last reply Reply Quote 1
                • gribfkG
                  gribfk @Konstanti
                  last edited by

                  @Konstanti tried, not working

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    Konstanti @gribfk
                    last edited by

                    @gribfk

                    1 show the phase-2 settings
                    2 show the output of the command ipsec statusall after the IPSEC
                    connection is established
                    3 show the firewall rules on the VLAN10 interface
                    4 show the output of the command tcpdump -netti enc0 when
                    trying to access the 172.16.0.0/16 network

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.