How to NAT before VPN: IPsec



  • Hello, I am requested to stablish a LAN to LAN VPN by using IPSEC.
    The opposite VPN side asks me to fix an IP address as source traffic, this is 10.0.0.8. I've done it successfully.
    Problem is that my LAN is 192.168.100.0 and need to make NAT to 10.0.0.8 before stablishing the VPN.
    I tried everything NAT options with no success:  NAT 1:1,  NAT outbound, etc
    Anyone can help me, please?





  • Thanks for your reply.
    I had already read that topic but unfortunately it is related to OpenVPN and my VPN is IPSEC, and I am obliged to use it.

    This is the configuration:

    My LAN network:  192.168.100.0

    IPSEC VPN Phase 2:
    Local network:  10.0.0.8   (this is the only address the other VPN side allows to receive)
    Remote network:  10.181.0.0

    NAT 1:1
    Interface:  IPSEC
    External IP: 10.0.0.8
    Internal IP:  192.168.100.0
    Destination IP:  10.181.0.0

    I think it should be solved with NAT 1:1 in IPSEC interface, because NAT should be done before establishing the VPN, but does not work   :'(



  • We too are having a similar problem. We were asked to connect one of our computers to another company with an IPSEC VPN. However our computer's IP is 10.10.1.50 and the other company specifically wants us to use 192.168.1.50 on our side for that computer. They said that it's a simple case of NATing their imposed 192.168.1.50 to our 10.10.1.50 computer. Here is a diagram:

    
      Our IP      Their imposed IP        Our pfSense WAN               Their VPN's WAN      Their computer's IP
    10.10.1.50  -   192.168.1.50     -     93.104.100.10    (Internet)   194.65.200.20    -    192.168.10.50
    
    

    If this IPSEC is set up properly they should be able to reach our computer (10.10.1.50) by pinging 192.168.1.50 (their imposed IP for us), and of course we should be able to ping theirs (192.168.10.50) from our computer (10.10.1.50). From their point of view they only want to access their imposed IP (192.168.1.50), they don't really care what our final IP is (10.10.1.50).

    Their computer's IP (192.168.10.50) is probably not the real final IP either, it most likely is being NATed to some other computer in their infrastructure, pretty much like our imposed IP (192.168.1.50) should forward  (NAT) to our real computer (10.10.1.50), but that isn't important for us to know anyway.

    We have tried to configure pfSense to forward traffic from their 192.168.1.50 to our 10.10.1.50, and have been all over the Internet looking and trying different configurations, but all to no avail. From what we gathered it seems that pfSense v2.0.1 (which is what we use) still can't do this.

    Can anyone shed some light on this matter?



  • AFAIK pfsense can't do NAT before IPSEC on the same box.

    Check http://redmine.pfsense.org/issues/1855


Locked