Hello. I need to access a remote IPSec Phase 2 network from VLAN interface using routing
-
Hello. I need to access a remote IPSec Phase 2 network from VLAN interface using routing
PFSense gateway configuration: VLAN1 192.168.1.0/24 VLAN10 192.168.10.0/24
IPSec Phase 2: Local network: VLAN1 Net Remote network: 172.16.0.0/16
I need to access the 172.16.0.0/16 network from VLAN10.
Attempts to configure outbound NAT to change the source address to 192.168.1.0/24 were unsuccessful, although similar NAT rules work to grant access to resources from VLAN10 to VLAN1
Any ideas how to fix the problem?
-
@gribfk said in Hello. I need to access a remote IPSec Phase 2 network from VLAN interface using routing:
192.168.1.0
Hi
you need to create an additional phase-2 with these settings -
@Konstanti thank you, i know about this, but in this case i need to create additional phase-2 on both sites, but remote sites does not support additional phase-2 settings, so i'm looking for NAT/routing solution.
-
No, since you use NAT / Binat translation in the additional phase-2 settings, you don't need to change anything on the other side of the tunnel
-
@Konstanti unfortunately, not working. i guess, i'm doing something wrong. Maybe is necessary to create additional outbound NAT rules (i'm using manual mode)?
-
@gribfk
Outbound NAT rules do not work for an ipsec tunnel. Try using the address 192.168.1.1/32 instead of 192.168.1.0/24 ( Nat/binat translation )
and check if the 192.168.10.0/ 24 network has access to the remote network 172.16.0.0/16 in firewall settings -
@Konstanti tried, not working
-
1 show the phase-2 settings
2 show the output of the command ipsec statusall after the IPSEC
connection is established
3 show the firewall rules on the VLAN10 interface
4 show the output of the command tcpdump -netti enc0 when
trying to access the 172.16.0.0/16 network