pfSense IPsec route and source NAT

alaamrim · Aug 20, 2024, 9:23 PM

Hello everyone,
I got this client request to create a VPN tunnel with another 3rd party site, Their requirement is to have all the traffic from my local network (172.16.9.0/24) masked (source NAT) via 192.168.103.103/32 to their dest network (10.20.0.0/16).
I have the IPSec tunnel configured up and running both P1 and P2, however, I dont see any local routes to 10.20.0.0, moreover I had to specifiy the local network as 192.168.103.103/32 in order to bring P2 up, which I dont even have this subnet on my network its just source nat they provided and it seems they only permit this /32 IP to access.
can someone please shed some light on what I am doing wrong here or what I am missing? I tried outbound routes and couldnt see any different

viragomann · Aug 20, 2024, 9:23 PM

@alaamrim
You need to configure your phase 2 this way:

local network: 172.16.9.0/24
BINAT: address > 192.168.103.103
remote network: 10.20.0.0/16

This VPN enables you to access the remote site, but the remote is not able to access your site, since you only have a single address.

alaamrim · Aug 20, 2024, 11:22 PM

@viragomann Thank you so much, It's 100% correct I figured it out that's exactly what I have done now. And yes it's only access from one side. Thanks again appreciate your time