Need to connect via different subnet over IPSec VPN
I have big problem. I'm new in using pfsense 2.0
I need to connect do my SAP HR hosting partner. His requirements:
Lan subnet where is hosted SAP HR is: 22.214.171.124/24, and they are forceing me to use as my local subnet: 126.96.36.199/28
Problem is, I;m using different local subnet: 192.168.0.0/24
I cannot make translation from 192.168.0.0/24 to 188.8.131.52/28 (hosting partner accept tunel ONLY between 184.108.40.206/24 <-> 220.127.116.11/28)
What to do ? How to configure pfsense (NAT, VIP, etc. etc. ) :-[
Tunnel is making over IPSec between my public IP (pfsense) and their (cisco).
The tunnel will be established between 18.104.22.168/24 <-> 22.214.171.124/28. So
packets can be send through the tunnel with destination ip 126.96.36.199/28 from your
By using 1:1 NAT, it should be possible to translate the destination ip into your ip-range.
And also the way back by translating the source-IP.
Problem could be the different subnet-size…
But how to configure NAT 1:1 ?
I cannot send any packets
i would try to configure 1:1 NAT:
Firewall > NAT > 1:1
External IP: 188.8.131.52
Internal IP: 192.168.0.0
reason: packets from you SAP provider has destination IP 184.108.40.206/28. This should be switched to
192.168.0.0/28 network and also vise versa. problem could be the different subnet-length.
thats what i suggest, but i am also new in this area and i am fighting also with NAT and ARP Proxy …
You cannot do NAT+IPsec in that way. It doesn't work.
The traffic will never enter the tunnel because it doesn't match the phase 2 on the tunnel, and NAT won't apply because it never gets into the tunnel.
IIRC there are other issues there as well, but it's a known issue that is fairly well documented.
hmm. yes, the traffic should fit with phase 2.
packets which are coming from the provider (out of the tunnel) has
(…. this fits with phase 2.)
after 1:1 NAT (dest) in pfsense, we have
..... (Destination IP changed)
this packet should reach the destination-host.
the reply from the host has
after 1:1 NAT (source) in pfsense we have for the tunnel
...this fits again with phase 2
please let me know what is wrong ....
for example, tarceroute to 220.127.116.11, from host in subnet 192.168.0.0 shows trace to default gateway and internet and nowhere
not to ipsce tunnel, via 18.104.22.168 to 22.214.171.124 at least :(
you have to consider, that the IP addresses fits with Phase2 configuration of ipsec,
before you send the packet to the tunnel.
Phase2 is established with 126.96.36.199/24 and 188.8.131.52/24. only these addresses accepted
by the vpn. but you want to send a packet with 192.168.0.0 and 184.108.40.206/24
dhatz last edited by
On the subject of NAT before IPsec VPN (not supported in pfsense 2.0), you can also read http://redmine.pfsense.org/issues/1855