NAT Not Working with IPsec Tunnel
-
I have a Site-to-Site IPsec tunnel setup that requires remote traffic to only come from an IP (172.16.12.1 for example). In pfsense, I have the "Local Network" option set to 172.16.12.1 and the remote network is 172.16.102.0/24. I have a Virtual IP set to 172.16.12.1. If I ping as the source address: 172.16.12.1 it is successful.
If I try to create a NAT rule to translate traffic going to 172.16.102.0/24 to 172.16.12.1 and set the Translation Address to the same Virtual IP (172.16.12.1). Looking in pfTop, the traffic IS getting translated to 172.16.12.1, but it does not go through the IPsec tunnel. I confirmed this by watching the "Packets-Out" value and it doesn't change. However, if I use the ping tool in diagnostics and set the Source Address as the Virtual IP 172.16.12.1, it works and the "Packets-Out" reflects that.
Why isn't my translated traffic going through the IPsec tunnel but the ping tool set to the Virtual IP is?
-
I was finally able to solve this by:
Setting my Local Network as my actual local network rather than the Virtual IP in the Ph2 config. Then, I set the NAT/BINAT translation option to what the required source IP must be for the IPsec tunnel. Didn't even need Virtual IP or NAT rules for any of it 🥴