IPSEC VPN with publicly routable remote host

  • Today, our network is like this:

    ISP Router  –> Pfsense  WAN: 209.xxx.xxx.115 LAN:   --> Unmanaged Switch -->  Workstations

    We are required to set up an IPSEC VPN to their VPN at 208.xxx.xxx.120. Our endpoint must be 209.xxx.xxx.114 and our remote host must be 209.xxx.xxx.115 (publicly routable). The purpose is to allow access to certain intranet resources from the workstations in our office. Our ISP has allotted us 209.xxx.xxx.113/29 for public IPs.

    I have an additional Pfsense device to use and need some guidance for how to configure both devices so that the VPN works and resources are available to our workstations.  From my research, this can not be done with a single Pfsense, because NAT must happen before IPSEC, and Pfsense does not fully support this.

    I spent some time studying the Pfsense book, and it seems like the thing to do is hook up the second Pfsense to the OPT port on the main pfsense, assign the second Pfsense a static public IP (.114), and bridge the OPT and WAN. I will set up the VPN on .114 and continue using my main gateway at .115 for NAT and Firewall. Will this work? And do I need to turn on outbound NAT on the OPT interface, so that traffic originating from my workstations appears as if it was from .115 so it enters the tunnel at .114?

  • Anyone?

  • How do I get traffic from the workstations to go through the tunnel?