Port forward + Source NAT + IPSec VTI

DirectRaw

Hello guys! Can I implement next schema:
5a079df8-e6a0-4e01-8a70-e2c916d302a4-изображение.png
I need to reach 192.168.5.1 from 10.0.10.20.0/23, but mask the ip as 172.19.0.1.
And I can't do anything with R1.
All routes correct.
I'm able to ping 192.168.5.1 from pfSense1.
I see correct packets in VTI on pfSense1 but I can't see them on pfSense2:
7e028df2-eabb-426f-aedf-090e93a4b858-изображение.png

dylanc23

It's probably routing through the VIP interface instead of through the VTI

On which interface are you seeing those packets? On the VTI or on the one where you have your VIPs (Guessing its WAN)?

DirectRaw

@dmendez-netgate hello! Captured from VTI. Actually I did this task by using tunnel mode instead VTI. But it's still interesting why it doesn't work through VTI...

dylanc23

@DirectRaw If that packet capture was on the VTI, it means your routes on pfSense1 are correct.

What about pfSense2? Do you have a route to send traffic to destination 172.19.0.1 through the VTI?