Outgoing NAT with ipsec
-
Hi,
I would like to know if there is any way in 2.0 to do outgoing NAT in the ipsec interface.
I'd like the other ipsec peer to receive traffic from a single address. I've configured that address (/32) in the local subnet of my phase2 entry, and I created the outbound NAT rule on the ipsec interface.
The problem now is how to route the traffic I want to that interface, so it can be NATed. The NAT address I configured in the phase2 entry is in a different network than the rest of the LAN.
I know it is possible in OpenBSD, but I'm not sure it can be done that easily in FreeBSD:
http://undeadly.org/cgi?action=article&sid=20090127205841Any help will be appreciated.
Regards,
Thiago -
IPsec doesn't "route" per se. If the pfSense box is the gateway for that network, and the traffic matches the remote side of the p2 entry, it may work automatically.
There are some other threads on the forum about IPsec+NAT. At least one person said they got it to work.
-
Thank you for your reply. I went through the NAT, IPsec and 2.0 forums but couldn't find any thread with a solution…
I don't think it should work automatically, because I'm trying to tunnel through the VPN traffic that wasn't supposed to be tunneled, from ips that are not on the vpn phase2 setup, thats why I need to NAT the traffic.
For instance, my LAN subnet is 192.168.5.0/24, but only the 192.168.5.10 is allowed to use the VPN (and I can't change the remote config to add other hosts), but I would like to access the tunnel from other IPs as well, so I'm trying to move that IP (192.168.5.10) to the pfsense box and NAT the traffic from my LAN through it.
So far I couldn't do it, I think I'll have to use the 192.168.5.10 box as a gateway to the tunnel, but I wish I could avoid having to add static routes everywhere for it to work, plus it creates a new point of failure.
