Need to connect via different subnet over IPSec VPN



  • hello,
    I have big problem. I'm new in using pfsense 2.0

    I need to connect do my SAP HR hosting partner. His requirements:

    Lan subnet where is hosted SAP HR is: 172.10.5.0/24, and they are forceing me to use as my local subnet: 172.10.8.0/28
    Problem is, I;m using different local subnet: 192.168.0.0/24

    I cannot make translation from 192.168.0.0/24 to 172.10.8.0/28 (hosting partner accept tunel ONLY between 172.10.5.0/24 <-> 172.10.8.0/28)

    What to do ?  How to configure pfsense (NAT, VIP,  etc. etc. )  :-[

    Tunnel is making over IPSec between my public IP (pfsense) and their (cisco).



  • hi,

    The tunnel will be established between 172.10.5.0/24 <-> 172.10.8.0/28. So
    packets can be send through the tunnel with destination ip 172.10.8.0/28 from your
    SAP partner.

    By using 1:1 NAT, it should be possible to translate the destination ip into your ip-range.
    And also the way back by translating the source-IP.
    Problem could be the different subnet-size…



  • But how to configure NAT 1:1 ?
    I cannot send any packets



  • hi !

    i would try to configure 1:1 NAT:

    Firewall > NAT > 1:1
    Interface: IPSec
    External IP: 172.10.8.0
    Internal IP: 192.168.0.0

    reason: packets from you SAP provider has destination IP 172.10.8.0/28. This should be switched to
    192.168.0.0/28 network and also vise versa. problem could be the different subnet-length.

    thats what i suggest, but i am also new in this area and i am fighting also with NAT and ARP Proxy …


  • Rebel Alliance Developer Netgate

    You cannot do NAT+IPsec in that way. It doesn't work.

    The traffic will never enter the tunnel because it doesn't match the phase 2 on the tunnel, and NAT won't apply because it never gets into the tunnel.

    IIRC there are other issues there as well, but it's a known issue that is fairly well documented.



  • hmm. yes, the traffic should fit with phase 2.

    packets which are coming from the provider (out of the tunnel) has

    Dest-IP: 178.10.8.0/24
    Source-IP: 172.10.5.0/24

    (…. this fits with phase 2.)

    after 1:1 NAT (dest) in pfsense, we have

    Dest-IP: 192.168.0.0/24
    Source-IP: 172.10.5.0/24
    ..... (Destination IP changed)

    this packet should reach the destination-host.
    the reply from the host has

    Dest-IP: 172.10.5.0/24
    Source-IP: 192.168.0.0/24

    after 1:1 NAT (source) in pfsense we have for the tunnel

    Dest-IP: 172.10.5.0/24
    Source-IP: 172.10.8.0/24

    ...this fits again with phase 2

    please let me know what is wrong ....



  • for example, tarceroute to 172.10.5.1, from host in subnet 192.168.0.0 shows trace to default gateway and internet and nowhere
    not to ipsce tunnel, via 172.10.8.0 to 172.10.5.0 at least :(



  • you have to consider, that the IP addresses fits with Phase2 configuration of ipsec,
    before you send the packet to the tunnel.
    Phase2 is established with 178.10.8.0/24 and 172.10.5.0/24. only these addresses accepted
    by the vpn. but you want to send a packet with 192.168.0.0 and 172.10.5.0/24



  • On the subject of NAT before IPsec VPN (not supported in pfsense 2.0), you can also read http://redmine.pfsense.org/issues/1855


Locked