NAT traffic coming from IPSEC tunnel to get to remote IPSEC

  • Hi guys,

    Apologies if this has been answered many times before, but I've been doing a lot of googling on the subject and can't find quite the same situation.

    My network setup is as follows:

    Network A  -> Network B =>Network (C,D,E)

    So Network A has an IPSEC connection to network B, and Network B has many IPSEC tunnels to various sites - C, D, E.

    I want to be able to get from Network A to networks C, D, E.  The various posts I've found suggest the easiest (or only) way is separate IPSECs from A to C, D, E, and in a couple of cases this is possible for me.  But one of the networks I have no control of the firewall and cannot set up another VPN, so I need to route via B.

    Networks A and B are both PFSense 2.0 (beta)

    What I'm thinking is if I could SNAT the traffic on RouterB AFTER traversing the tunnel, the traffic would be able to find its way to all other networks and back.

    But would this actually work?  Is this possible with pfsense?  Would I need to do things directly in pf.conf?  Should I switch over to OpenVPN between A and B - can OpenVPN handle the routing I need to do?


  • Hi guys,

    I've finally had a chance to test my theory, and not entirely surprisingly, it doesn't work.

    What I've done is this:

    Network A - Router A: -
    Network B - Router B: -
    Network C - Router C: -

    IPSEC tunnels exist and work from A - B and B - C

    So, on router A, configure second phase 2 IPSEC under A-B phase 1 ipsec to go from local( to  Configure matching phase 2 on router B for B-A's phase 1 for network to

    Bring up phase 2.  Check all works and VPNs all still ok from A - B and B - C.  All good, we haven't broken anything yet.

    Add manual outbound NAT on router B for LAN interface for source to SNAT to (interface address), so that traffic coming from the VPN looks like it is coming from router B.

    Check SNAT working by SSH from 69.(x) to 150.(x) and run "who".  It shows my connection appears to be coming from 150.1.  So SNAT is working.

    So, on router A, configure route: via  This is probably unnecessary as 69.1 is the default route anyway, and I would hope at this point 2.0 traffic would be routed over the new phase 2.

    So at this point, I'm hoping that traffic from A destined for C will hit router A, travel over the tunnel, get SNAT'd to B's address and B will then reroute the packets down its VPN to C.  The destination on C will send responses back to router B, which will undo the SNAT and route the traffic back to its origin via the vpn from B to A.

    But this doesn't seem to be working.  I get no responses from remote servers on the 2.0 subnet from the 69.0.  I'm just about to try some packet sniffing on the target server, but I suspect it is not getting this far.  If it was, I can't see a reason responses wouldn't be routed back to 150.1.

    So what I think must be happening is the packets which are going through the SNAT are not entering the stack again to be rerouted.  This is where I get rather hazy - it's some years since I used iptables on Linux in anger, and I have almost zero knowledge of the network stack in BSD.  So I don't know if what I'm trying here is physically possible on pfsense.

    Any guidance here would be great - even if that guidance was simply "give up" - though I'd love to understand why this wont work.


Log in to reply