Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need to connect via different subnet over IPSec VPN

    Scheduled Pinned Locked Moved NAT
    9 Posts 4 Posters 6.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adsys.in
      last edited by

      hello,
      I have big problem. I'm new in using pfsense 2.0

      I need to connect do my SAP HR hosting partner. His requirements:

      Lan subnet where is hosted SAP HR is: 172.10.5.0/24, and they are forceing me to use as my local subnet: 172.10.8.0/28
      Problem is, I;m using different local subnet: 192.168.0.0/24

      I cannot make translation from 192.168.0.0/24 to 172.10.8.0/28 (hosting partner accept tunel ONLY between 172.10.5.0/24 <-> 172.10.8.0/28)

      What to do ?  How to configure pfsense (NAT, VIP,  etc. etc. )  :-[

      Tunnel is making over IPSec between my public IP (pfsense) and their (cisco).
      ipsec_vpn.jpg
      ipsec_vpn.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • T
        torino
        last edited by

        hi,

        The tunnel will be established between 172.10.5.0/24 <-> 172.10.8.0/28. So
        packets can be send through the tunnel with destination ip 172.10.8.0/28 from your
        SAP partner.

        By using 1:1 NAT, it should be possible to translate the destination ip into your ip-range.
        And also the way back by translating the source-IP.
        Problem could be the different subnet-size…

        1 Reply Last reply Reply Quote 0
        • A
          adsys.in
          last edited by

          But how to configure NAT 1:1 ?
          I cannot send any packets

          1 Reply Last reply Reply Quote 0
          • T
            torino
            last edited by

            hi !

            i would try to configure 1:1 NAT:

            Firewall > NAT > 1:1
            Interface: IPSec
            External IP: 172.10.8.0
            Internal IP: 192.168.0.0

            reason: packets from you SAP provider has destination IP 172.10.8.0/28. This should be switched to
            192.168.0.0/28 network and also vise versa. problem could be the different subnet-length.

            thats what i suggest, but i am also new in this area and i am fighting also with NAT and ARP Proxy …

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              You cannot do NAT+IPsec in that way. It doesn't work.

              The traffic will never enter the tunnel because it doesn't match the phase 2 on the tunnel, and NAT won't apply because it never gets into the tunnel.

              IIRC there are other issues there as well, but it's a known issue that is fairly well documented.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • T
                torino
                last edited by

                hmm. yes, the traffic should fit with phase 2.

                packets which are coming from the provider (out of the tunnel) has

                Dest-IP: 178.10.8.0/24
                Source-IP: 172.10.5.0/24

                (…. this fits with phase 2.)

                after 1:1 NAT (dest) in pfsense, we have

                Dest-IP: 192.168.0.0/24
                Source-IP: 172.10.5.0/24
                ..... (Destination IP changed)

                this packet should reach the destination-host.
                the reply from the host has

                Dest-IP: 172.10.5.0/24
                Source-IP: 192.168.0.0/24

                after 1:1 NAT (source) in pfsense we have for the tunnel

                Dest-IP: 172.10.5.0/24
                Source-IP: 172.10.8.0/24

                ...this fits again with phase 2

                please let me know what is wrong ....

                1 Reply Last reply Reply Quote 0
                • A
                  adsys.in
                  last edited by

                  for example, tarceroute to 172.10.5.1, from host in subnet 192.168.0.0 shows trace to default gateway and internet and nowhere
                  not to ipsce tunnel, via 172.10.8.0 to 172.10.5.0 at least :(

                  1 Reply Last reply Reply Quote 0
                  • T
                    torino
                    last edited by

                    you have to consider, that the IP addresses fits with Phase2 configuration of ipsec,
                    before you send the packet to the tunnel.
                    Phase2 is established with 178.10.8.0/24 and 172.10.5.0/24. only these addresses accepted
                    by the vpn. but you want to send a packet with 192.168.0.0 and 172.10.5.0/24

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhatz
                      last edited by

                      On the subject of NAT before IPsec VPN (not supported in pfsense 2.0), you can also read http://redmine.pfsense.org/issues/1855

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.