<![CDATA[On IPsec and NAT again - SOLVED]]>I have a site to site IPsec tunnel:

| Remote LAN  | Remote Gateway  |          | pfSense Gateway |    Local LAN   |
| 10.1.0.0/16 |   Remote  IP    | <<=== >> |    pfSense IP   | 192.168.1.0/24 |

The IPsec phase 1/2 goes well, the connection is established and the traffic flows between pfSense Gateway and Remote LAN clients (thanks to this: http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F)

Now I have the following problem: the local subnet address that I have to use in phase 2 isn't my real 192.168.1.0/24 but another one (for eg. 192.168.2.0/24 because it is imposed by remote restrictions that I can't change), so I have to translate addresses in some way.
I don't know whether this is possible or not, after reading some posts I suspect it isn't, but perhaps I'm wrong.
I tried several ways: virtual IP on LAN, firewall/NAT rules, outbound NAT rules, source NAT, but without luck :(

Some guy has an idea on how to accomplish this task? Or, is it really not possible due to pf limitations?
Do I have to change my local LAN addresses? (this will be very expensive!)

Thanks

]]>https://forum.netgate.com/topic/51597/on-ipsec-and-nat-again-solvedRSS for NodeSun, 15 Mar 2026 05:50:39 GMTThu, 03 Jan 2013 16:03:36 GMT60<![CDATA[Reply to On IPsec and NAT again - SOLVED on Fri, 04 Jan 2013 09:35:48 GMT]]>Thanks for the explanation.
For those who have the same problem, I've solved it with a workaround, for now.
I've:

  • assigned a virtual IP (192.168.2.1) on LAN interface

  • set up apposite rules on firewall/NAT section (included Manual Outbound NAT)

  • added a new address (for eg. 192.168.2.5) on the network card of internal Windows machine and a new gateway 192.168.2.1 (with a higher metric than default to not interfere with the previous state)

  • in the Windows machine set up a new permanent route to 10.1.0.0/16 net via 192.168.2.1 gateway

It works!

]]>https://forum.netgate.com/post/370819https://forum.netgate.com/post/370819Fri, 04 Jan 2013 09:35:48 GMT<![CDATA[Reply to On IPsec and NAT again - SOLVED on Fri, 04 Jan 2013 06:20:40 GMT]]>Possible in 2.1, not in any earlier versions. Usual work around is to do NAT on one box, IPsec on another. Pre-2.1, they can't both be on the same system, IPsec happens before NAT can happen.

]]>https://forum.netgate.com/post/370805https://forum.netgate.com/post/370805Fri, 04 Jan 2013 06:20:40 GMT