Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec network conflict

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Ryanmt
      last edited by

      Im trying to setup an IPSec tunnel between two offices, one is an offsite company so i have little to no control over their end.

      Problem is we are both on the same network 10.0.0.0 and their kit doesn't like it one bit. I am rebuilding the system after a previous faliure (wasnt using pfsense previously)

      It was setup as

      Office Network (10.0.0.0/24) –> NAT to 10.0.0.2 ---> IPsec Tunnel with local subnet 10.0.0.2 ---> Their network.

      The problem I am having is that pfsense doesn't get IPsec to initiate the tunnel so i suspect my config is wrong somewhere

      I have turned AON on, and added at the top

      OFFICE Interface 10.0.0.0/24 to remote network use 10.0.0.2

      I have added 10.0.0.2 as a IPAlias so visiting 10.0.0.2 on port 80 shows the same as if i were to visit my pfsense interface (on 10.0.0.1)

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You can't make that work. Both sides see that as local, will never attempt to send that via the firewall. NAT is at times a solution, but you have to split the NAT out to a separate system than the IPsec to make that work, and may not be feasible at all on the remote end. Easiest is to re-address one of the networks. Or if using OpenVPN, NAT will work, assuming you don't need services that get broken by NAT (primarily Windows file sharing).

        1 Reply Last reply Reply Quote 0
        • R
          Ryanmt
          last edited by

          Thanks for the reply cmb

          Im not sure how it was done before but it used to work with that NAT and ipsec settings. I have the original configs from before the hardware failed if thats any use

          Ive just realised i should have explained it better in my initial post , Im not tunneling to the same network at their end(10.0.0.0/24). Its 10.31.145.0/28 Its just that the ipsec machine at the their end has some visibility of the a 10.0.0.0/24 network and it causes it issues at their end generating routes. It seems to be ok with having a specific IP though thats why the previous sysadmin had it all to go down 10.0.0.2

          I only need ssh and port 8080 from what I remember, pretty basic stuff. I just want to tunnel it all via 1 ip rather than subnet to subnet.

          Office Network (10.0.0.0/24) –> NAT to 10.0.0.2 ---> IPsec Tunnel with local subnet 10.0.0.2 ---> Their network (10.31.145.0/28)

          1 Reply Last reply Reply Quote 0
          • R
            Ryanmt
            last edited by

            http://forum.pfsense.org/index.php?topic=9212.0

            This post here pretty much sums up my problems but not been able get anywhere

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              If you're just NATing all that traffic to one IP within the local subnet, and the traffic matches the SPD before NAT, then you can use outbound NAT on IPsec if using 2.0. Otherwise there has never been a way to accommodate that short of doing the NAT on a different system.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.