<![CDATA[OVPN Client ---> PfSense ---> IPSEC ---> Server]]>I need to access an application on the other end of an IPSEC VPN through an OpenVPN client.

I don't have access on the other end of IPSEC, so I can't create a phase 2 to declare my OpenVPN network and I can't use VTI.

Attached is the network topology. I believe I will have to use a NAT, but I'm not getting it. Thanks to anyone who can help.topologia.jpeg

]]>https://forum.netgate.com/topic/171443/ovpn-client-pfsense-ipsec-serverRSS for NodeSat, 16 May 2026 06:05:20 GMTSun, 10 Apr 2022 03:29:11 GMT60<![CDATA[Reply to OVPN Client ---> PfSense ---> IPSEC ---> Server on Mon, 11 Apr 2022 14:31:23 GMT]]>@vfisher
You need also to push the route to the remote IP to the OpenVPN clients, of course.
So you have to add "172.31.17.150/32" to the "IPv4 Local Networks" in the server settings. Have you done this already?

Also ensure that firewall rules on the VPN interface allow access.

]]>https://forum.netgate.com/post/1037288https://forum.netgate.com/post/1037288Mon, 11 Apr 2022 14:31:23 GMT<![CDATA[Reply to OVPN Client ---> PfSense ---> IPSEC ---> Server on Mon, 11 Apr 2022 13:56:51 GMT]]>You are right...I don't have access to the other end, and the IT staff told me they can't set up a second phase 2.

In the case of the OpenVPN that I use to connect to the office network is a Client to Site, I tried to include a route in the client, but it didn't work either.

]]>https://forum.netgate.com/post/1037269https://forum.netgate.com/post/1037269Mon, 11 Apr 2022 13:56:51 GMT<![CDATA[Reply to OVPN Client ---> PfSense ---> IPSEC ---> Server on Mon, 11 Apr 2022 07:58:52 GMT]]>@vfisher
So you use already BINAT with quite small networks.

The options to configure an additonal BINAT depends on the phase 2 of the remote site and I suspect that you don't know it.
But since your existing P 2 translates already from a /24 to a /30 it's not an 1:1 translation anyway, but many to few.

So I think you can do the same for the VPN clients. Add an additional P 2, at Local Network state the OVPN tunnel network and do all over settings equal to the existing P 2.

]]>https://forum.netgate.com/post/1037204https://forum.netgate.com/post/1037204Mon, 11 Apr 2022 07:58:52 GMT<![CDATA[Reply to OVPN Client ---> PfSense ---> IPSEC ---> Server on Mon, 11 Apr 2022 03:06:43 GMT]]>@viragomann Thanks for your answer!

I don't know how to create an additional BINAT/PAT, I would be grateful if you could give me an example.

Here is my phase 2 configuration screen.

Thank you!phase2.png

]]>https://forum.netgate.com/post/1037183https://forum.netgate.com/post/1037183Mon, 11 Apr 2022 03:06:43 GMT<![CDATA[Reply to OVPN Client ---> PfSense ---> IPSEC ---> Server on Sun, 10 Apr 2022 08:58:48 GMT]]>@vfisher
You can add an additional BINAT / PAT phase 2 using the same local network.
How is your primary P 2 configured?

At site B there is alrealy a BINAT rule?

]]>https://forum.netgate.com/post/1037074https://forum.netgate.com/post/1037074Sun, 10 Apr 2022 08:58:48 GMT