IPSEC tunnel with NAT, need some help

  • Hope someone can figure out what I've got mis-configured but here is what I'm trying to configure.

    My side is pfSense 2.0, other side is a Cisco appliance.

    My goal is to establish the connection on one of my public IP's, the .13 which is my endpoint identifier then tunnel the traffic on another public IP, my .12. The logs from the Cisco side are telling that the phase 2 never properly routes my internal LAN to the defined subnet ranges on the other side from my specified public IP of the .12. Instead it is just using the normal interface (my normal internet usage, .14 gateway) and not NATing the traffic properly.

    Hope I explained that well enough, attached are some screen shots of my configuration.

    edit updated picture

  • So what you are trying to do is take your LAN segment and NAT it to an IP that you want to use as the encryption domain for your side.. but what is happening is the traffic doesnt get NATed and instead the src looks as though its coming from your LAN segment and not the NAT IP. Is this correct? I'm having the same issue and was wondering if anyone knew how to set this up properly on the pfsense box?

  • Yep, this is exactly whats happening.

    Hopefully someone has some suggestions on what to try to fix this.

  • You're NAT mode is still set to 'automatic' it ignores custom NAT rules when in this mode. Try switching to 'manual' mode on the 'NAT -> Outbound' page.

  • Rebel Alliance Developer Netgate

    IPsec and NAT do not mix (yet) on 2.x.

    In order to match the outbound NAT the traffic would already have to be leaving the IPsec interface. That traffic wouldn't be leaving the interface, however, because it doesn't match the IPsec phase 2.

    You can do this with two separate routers, one doing the NAT, and the other handling IPsec, but it can't be done in one at this time.

  • Well darn, I was going to give a try what Ximerian said but if its not possible yet I guess I wont.


    Is there any other way I could do this without having 2 boxes? In my setup only about 2 users need to access this VPN. Could I assign them a different address/subnet or create a route for just their specific IP? If that's even possible, sorry for a dumb question just want to see if there are any other options.


  • Rebel Alliance Developer Netgate

    they would have to have separate IPs each listed in the Phase 2. You can't do any kind of NAT out IPsec properly yet.

  • So if I specified the users local IP in the Local Subnet section in phase 2 it should work?

    OK, it makes sense now I think. The user would need to be assigned my Public IP because the site I'm going to requires it to be a public IP and not a private?

    Hope I got that right.

    So, is there an easy way to bind a users MAC address to obtain a Public address?

  • Ended up using 2 firewalls to router the traffic and it ended up working.

    Thanks for the help!

Log in to reply