Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    On IPsec and NAT again - SOLVED

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SuperC
      last edited by

      I have a site to site IPsec tunnel:

      | Remote LAN  | Remote Gateway  |          | pfSense Gateway |    Local LAN   |
      | 10.1.0.0/16 |   Remote  IP    | <<=== >> |    pfSense IP   | 192.168.1.0/24 |

      The IPsec phase 1/2 goes well, the connection is established and the traffic flows between pfSense Gateway and Remote LAN clients (thanks to this: http://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN%3F)

      Now I have the following problem: the local subnet address that I have to use in phase 2 isn't my real 192.168.1.0/24 but another one (for eg. 192.168.2.0/24 because it is imposed by remote restrictions that I can't change), so I have to translate addresses in some way.
      I don't know whether this is possible or not, after reading some posts I suspect it isn't, but perhaps I'm wrong.
      I tried several ways: virtual IP on LAN, firewall/NAT rules, outbound NAT rules, source NAT, but without luck :(

      Some guy has an idea on how to accomplish this task? Or, is it really not possible due to pf limitations?
      Do I have to change my local LAN addresses? (this will be very expensive!)

      Thanks

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Possible in 2.1, not in any earlier versions. Usual work around is to do NAT on one box, IPsec on another. Pre-2.1, they can't both be on the same system, IPsec happens before NAT can happen.

        1 Reply Last reply Reply Quote 0
        • S
          SuperC
          last edited by

          Thanks for the explanation.
          For those who have the same problem, I've solved it with a workaround, for now.
          I've:

          • assigned a virtual IP (192.168.2.1) on LAN interface

          • set up apposite rules on firewall/NAT section (included Manual Outbound NAT)

          • added a new address (for eg. 192.168.2.5) on the network card of internal Windows machine and a new gateway 192.168.2.1 (with a higher metric than default to not interfere with the previous state)

          • in the Windows machine set up a new permanent route to 10.1.0.0/16 net via 192.168.2.1 gateway

          It works!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.