pfsense site-to-site vti tunnel with 1:1 NAT for conflicting subnets
-
Hi All,
I have below setup across two sites. my client laptop is on site1.
our site2 got conflicting subnet 192.168.10.0/24. I need to use 1:1 NAT to access it from site1
something like, from site1 if I try to ping 192.168.11.0/24 it should be natted to 192.168.10.0/24.
I tested this with creating 1:1 nat on site2 pfsense.
interface - ipsec
External subnet IP - 192.168.11.0/24
Internal IP - 192.168.10.0/24and added static route 192.168.11.0/24 to site1 pfsense to send traffic to site2 pfsense via ipsec tunnel. now I can ping to remote site 192.168.10.0/24 network by pinging 192.168.11.0/24. but I cannot ssh or access any other services on remote end
Also note that in site2 some servers not using pfsense as a gateway. so I had to use outbound nat to reach to those servers
can anyone help with this ?
-
NATing on the VTI tunnels is one of the noted restrictions:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/routed-vti.html#vpn-ipsec-vti-firewallYou can only do that by applying it to the assigned interfaces and you can only do that by switching the IPSec filter mode which means you can no longer use policy based IPSec tunnels.
You could just add an OpenVPN server at site2 and connect to it directly?
Steve
