IPsec network conflict
Im trying to setup an IPSec tunnel between two offices, one is an offsite company so i have little to no control over their end.
Problem is we are both on the same network 10.0.0.0 and their kit doesn't like it one bit. I am rebuilding the system after a previous faliure (wasnt using pfsense previously)
It was setup as
Office Network (10.0.0.0/24) –> NAT to 10.0.0.2 ---> IPsec Tunnel with local subnet 10.0.0.2 ---> Their network.
The problem I am having is that pfsense doesn't get IPsec to initiate the tunnel so i suspect my config is wrong somewhere
I have turned AON on, and added at the top
OFFICE Interface 10.0.0.0/24 to remote network use 10.0.0.2
I have added 10.0.0.2 as a IPAlias so visiting 10.0.0.2 on port 80 shows the same as if i were to visit my pfsense interface (on 10.0.0.1)
You can't make that work. Both sides see that as local, will never attempt to send that via the firewall. NAT is at times a solution, but you have to split the NAT out to a separate system than the IPsec to make that work, and may not be feasible at all on the remote end. Easiest is to re-address one of the networks. Or if using OpenVPN, NAT will work, assuming you don't need services that get broken by NAT (primarily Windows file sharing).
Thanks for the reply cmb
Im not sure how it was done before but it used to work with that NAT and ipsec settings. I have the original configs from before the hardware failed if thats any use
Ive just realised i should have explained it better in my initial post , Im not tunneling to the same network at their end(10.0.0.0/24). Its 10.31.145.0/28 Its just that the ipsec machine at the their end has some visibility of the a 10.0.0.0/24 network and it causes it issues at their end generating routes. It seems to be ok with having a specific IP though thats why the previous sysadmin had it all to go down 10.0.0.2
I only need ssh and port 8080 from what I remember, pretty basic stuff. I just want to tunnel it all via 1 ip rather than subnet to subnet.
Office Network (10.0.0.0/24) –> NAT to 10.0.0.2 ---> IPsec Tunnel with local subnet 10.0.0.2 ---> Their network (10.31.145.0/28)
This post here pretty much sums up my problems but not been able get anywhere
If you're just NATing all that traffic to one IP within the local subnet, and the traffic matches the SPD before NAT, then you can use outbound NAT on IPsec if using 2.0. Otherwise there has never been a way to accommodate that short of doing the NAT on a different system.