Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Not Working with IPsec Tunnel

    IPsec
    1
    2
    987
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jacksongrow
      last edited by jacksongrow

      I have a Site-to-Site IPsec tunnel setup that requires remote traffic to only come from an IP (172.16.12.1 for example). In pfsense, I have the "Local Network" option set to 172.16.12.1 and the remote network is 172.16.102.0/24. I have a Virtual IP set to 172.16.12.1. If I ping as the source address: 172.16.12.1 it is successful.

      If I try to create a NAT rule to translate traffic going to 172.16.102.0/24 to 172.16.12.1 and set the Translation Address to the same Virtual IP (172.16.12.1). Looking in pfTop, the traffic IS getting translated to 172.16.12.1, but it does not go through the IPsec tunnel. I confirmed this by watching the "Packets-Out" value and it doesn't change. However, if I use the ping tool in diagnostics and set the Source Address as the Virtual IP 172.16.12.1, it works and the "Packets-Out" reflects that.

      Why isn't my translated traffic going through the IPsec tunnel but the ping tool set to the Virtual IP is?

      1 Reply Last reply Reply Quote 0
      • J
        jacksongrow
        last edited by

        I was finally able to solve this by:

        Setting my Local Network as my actual local network rather than the Virtual IP in the Ph2 config. Then, I set the NAT/BINAT translation option to what the required source IP must be for the IPsec tunnel. Didn't even need Virtual IP or NAT rules for any of it 🥴

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.