Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outgoing NAT with ipsec

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    3 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      witto
      last edited by

      Hi,

      I would like to know if there is any way in 2.0 to do outgoing NAT in the ipsec interface.

      I'd like the other ipsec peer to receive traffic from a single address. I've configured that address (/32) in the local subnet of my phase2 entry, and I created the outbound NAT rule on the ipsec interface.

      The problem now is how to route the traffic I want to that interface, so it can be NATed. The NAT address I configured in the phase2 entry is in a different network than the rest of the LAN.

      I know it is possible in OpenBSD, but I'm not sure it can be done that easily in FreeBSD:
      http://undeadly.org/cgi?action=article&sid=20090127205841

      Any help will be appreciated.

      Regards,
      Thiago

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        IPsec doesn't "route" per se. If the pfSense box is the gateway for that network, and the traffic matches the remote side of the p2 entry, it may work automatically.

        There are some other threads on the forum about IPsec+NAT. At least one person said they got it to work.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • W
          witto
          last edited by

          Thank you for your reply. I went through the NAT, IPsec and 2.0 forums but couldn't find any thread with a solution…

          I don't think it should work automatically, because I'm trying to tunnel through the VPN traffic that wasn't supposed to be tunneled, from ips that are not on the vpn phase2 setup, thats why I need to NAT the traffic.

          For instance, my LAN subnet is 192.168.5.0/24, but only the 192.168.5.10 is allowed to use the VPN (and I can't change the remote config to add other hosts), but I would like to access the tunnel from other IPs as well, so I'm trying to move that IP (192.168.5.10) to the pfsense box and NAT the traffic from my LAN through it.

          So far I couldn't do it, I think I'll have to use the 192.168.5.10 box as a gateway to the tunnel, but I wish I could avoid having to add static routes everywhere for it to work, plus it creates a new point of failure.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.