On IPsec and NAT again - SOLVED

  • I have a site to site IPsec tunnel:

    | Remote LAN  | Remote Gateway  |          | pfSense Gateway |    Local LAN   |
    | |   Remote  IP    | <<=== >> |    pfSense IP   | |

    The IPsec phase 1/2 goes well, the connection is established and the traffic flows between pfSense Gateway and Remote LAN clients (thanks to this: http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F)

    Now I have the following problem: the local subnet address that I have to use in phase 2 isn't my real but another one (for eg. because it is imposed by remote restrictions that I can't change), so I have to translate addresses in some way.
    I don't know whether this is possible or not, after reading some posts I suspect it isn't, but perhaps I'm wrong.
    I tried several ways: virtual IP on LAN, firewall/NAT rules, outbound NAT rules, source NAT, but without luck :(

    Some guy has an idea on how to accomplish this task? Or, is it really not possible due to pf limitations?
    Do I have to change my local LAN addresses? (this will be very expensive!)


  • Possible in 2.1, not in any earlier versions. Usual work around is to do NAT on one box, IPsec on another. Pre-2.1, they can't both be on the same system, IPsec happens before NAT can happen.

  • Thanks for the explanation.
    For those who have the same problem, I've solved it with a workaround, for now.

    • assigned a virtual IP ( on LAN interface

    • set up apposite rules on firewall/NAT section (included Manual Outbound NAT)

    • added a new address (for eg. on the network card of internal Windows machine and a new gateway (with a higher metric than default to not interfere with the previous state)

    • in the Windows machine set up a new permanent route to net via gateway

    It works!

Log in to reply