IPSec with subnet natting



  • Hi all,

    for one of our customers we should setup a new IPSec VPN tunnel.
    Goal is simple, configuration looks a bit confusing.

    Our subnet: 10.124.29.0/24
    Remote subnet: 10.240.0.0/12

    Till here, no problems.
    But the customer site has a policy that they cannot route a 10.124.29.0/24. They have to use a /24 in the 10.150.0.0/16 set.
    So we have been assigned 10.150.33.0/24.

    PhaseII our side :
    our subnet: 10.150.33.0/24
    remote subnet: 10.240.0.0/12

    PhaseII cust side :
    our subnet: 10.240.0.0/12
    remote subnet: 10.150.33.0/24

    We should manage to NAT the whole subnet from 10.150.33.0/24 to 10.124.29.0/24.
    Is this possible? How can this be done?
    Use Virtual IP option? And do a 1:1 and outbound nat?

    Attached : Visio PDF to clear out things.

    Regards,
    Dieter



  • Maybe this can be done with virtual ip's and manual outbound nat.



  • Lack of NAT before IPsec is one of the known limitations of pfSense …

    Check 2009 discussion here http://freebsd.1045724.n5.nabble.com/IPSec-nat-on-enc-device-td4023490.html



  • :P Ofcourse I forgot this.. then you must have two devices(one doing natting and another doing vpn) or think another solutions


Log in to reply