Need to connect via different subnet over IPSec VPN

  • hello,
    I have big problem. I'm new in using pfsense 2.0

    I need to connect do my SAP HR hosting partner. His requirements:

    Lan subnet where is hosted SAP HR is:, and they are forceing me to use as my local subnet:
    Problem is, I;m using different local subnet:

    I cannot make translation from to (hosting partner accept tunel ONLY between <->

    What to do ?  How to configure pfsense (NAT, VIP,  etc. etc. )  :-[

    Tunnel is making over IPSec between my public IP (pfsense) and their (cisco).

  • hi,

    The tunnel will be established between <-> So
    packets can be send through the tunnel with destination ip from your
    SAP partner.

    By using 1:1 NAT, it should be possible to translate the destination ip into your ip-range.
    And also the way back by translating the source-IP.
    Problem could be the different subnet-size…

  • But how to configure NAT 1:1 ?
    I cannot send any packets

  • hi !

    i would try to configure 1:1 NAT:

    Firewall > NAT > 1:1
    Interface: IPSec
    External IP:
    Internal IP:

    reason: packets from you SAP provider has destination IP This should be switched to network and also vise versa. problem could be the different subnet-length.

    thats what i suggest, but i am also new in this area and i am fighting also with NAT and ARP Proxy …

  • Rebel Alliance Developer Netgate

    You cannot do NAT+IPsec in that way. It doesn't work.

    The traffic will never enter the tunnel because it doesn't match the phase 2 on the tunnel, and NAT won't apply because it never gets into the tunnel.

    IIRC there are other issues there as well, but it's a known issue that is fairly well documented.

  • hmm. yes, the traffic should fit with phase 2.

    packets which are coming from the provider (out of the tunnel) has


    (…. this fits with phase 2.)

    after 1:1 NAT (dest) in pfsense, we have

    ..... (Destination IP changed)

    this packet should reach the destination-host.
    the reply from the host has


    after 1:1 NAT (source) in pfsense we have for the tunnel


    ...this fits again with phase 2

    please let me know what is wrong ....

  • for example, tarceroute to, from host in subnet shows trace to default gateway and internet and nowhere
    not to ipsce tunnel, via to at least :(

  • you have to consider, that the IP addresses fits with Phase2 configuration of ipsec,
    before you send the packet to the tunnel.
    Phase2 is established with and only these addresses accepted
    by the vpn. but you want to send a packet with and

  • On the subject of NAT before IPsec VPN (not supported in pfsense 2.0), you can also read