Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT over ipsec

    Scheduled Pinned Locked Moved
    NAT
    2
    6
    570
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      handleric
      last edited by

      Hello,

      Im trying to build out some config that would allow me to port forward or NAT traffic coming in from my WAN interface and send it across an IPSec tunnel to a remote site. I have everything configured and in place including outbound NAT rules to transform the traffic going out the IPSec interface however it's never making it to the other end and appears to be terminating locally on the pfsense firewall.

      Anyone have any experience with a config like this?

      1 Reply Last reply Reply Quote 0
      • H
        handleric
        last edited by

        The scenario here would be:

        Site A:

        • WAN IP: 70.10.20.3
        • LAN: 192.168.1.1/24

        Site B:

        • WAN IP: 80.1.2.3
        • LAN: 192.168.2.1/24

        I need to be able to take traffic coming in to 70.10.20.3 (Site A) on port 80 & 443 and send it to a web server in the 192.168.2.0/24 (Site B) network. As of right now the IPSec VPNs are up and I am able to ping endpoints across the tunnel including from the opposing firewall however when traffic comes in I can see from the sessions the NAT is translating the destination to the expected 192.168.2.0/24 IP address however no packets ever try to go out the tunnel.

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @handleric
          last edited by

          @handleric
          This only works if site A is the default gateway at B. So you need to configure the P2 properly on both sites.

          If you don't want that use OpenVPN.

          H 1 Reply Last reply Reply Quote 0
          • H
            handleric @viragomann
            last edited by

            @viragomann This has been configured however the traffic is never leaving site A to be sent to site B in the first place and I can't figure out why.

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @handleric
              last edited by

              @handleric
              So your IPSec phase 2 have
              site A:
              local: 0.0.0.0/0
              remote: 192.168.2.0/24

              site B:
              local: 192.168.2.0/24
              remote: 0.0.0.0/0
              ?
              Ensure that you have configured the p2 on both site accordingly.

              If so you should be able to easily NAT the incoming traffic at A to e.g. 192.168.2.52 and responses should be routed back properly.

              H 1 Reply Last reply Reply Quote 0
              • H
                handleric @viragomann
                last edited by

                @viragomann

                Thank you for the information, I did in fact have the P2 local network defined as the subnet on within the local LAN assuming the routing would have still sent the traffic across based on the destination IP and the routing table however that obviously didn't end up being the case. After changing the local network on the P2 from 192.168.1.0/24 to 0.0.0.0/0 the traffic started sending across the tunnel.

                Thank you for the help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.