Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec with subnet natting

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dietervh
      last edited by

      Hi all,

      for one of our customers we should setup a new IPSec VPN tunnel.
      Goal is simple, configuration looks a bit confusing.

      Our subnet: 10.124.29.0/24
      Remote subnet: 10.240.0.0/12

      Till here, no problems.
      But the customer site has a policy that they cannot route a 10.124.29.0/24. They have to use a /24 in the 10.150.0.0/16 set.
      So we have been assigned 10.150.33.0/24.

      PhaseII our side :
      our subnet: 10.150.33.0/24
      remote subnet: 10.240.0.0/12

      PhaseII cust side :
      our subnet: 10.240.0.0/12
      remote subnet: 10.150.33.0/24

      We should manage to NAT the whole subnet from 10.150.33.0/24 to 10.124.29.0/24.
      Is this possible? How can this be done?
      Use Virtual IP option? And do a 1:1 and outbound nat?

      Attached : Visio PDF to clear out things.

      Regards,
      Dieter
      subnet_nat_ipsec.png
      subnet_nat_ipsec.png_thumb

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi
        last edited by

        Maybe this can be done with virtual ip's and manual outbound nat.

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          Lack of NAT before IPsec is one of the known limitations of pfSense …

          Check 2009 discussion here http://freebsd.1045724.n5.nabble.com/IPSec-nat-on-enc-device-td4023490.html

          1 Reply Last reply Reply Quote 0
          • M
            Metu69salemi
            last edited by

            :P Ofcourse I forgot this.. then you must have two devices(one doing natting and another doing vpn) or think another solutions

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.