NAT site-to-site VPN



  • I have a site-to-site IPsec VPN, and it works, as long as I assign a pfsense NIC to the local subnet identified by the phase 2 configuration, and I put a laptop into that subnet to ping the remote side.  But due to a conflicting IP subnet on local vs remote, I can't use my local LAN subnet across the VPN.  I want to NAT the traffic before it goes across the VPN, so my LAN clients can use their normal network interfaces, normal IP addresses, and still reach the other side without any IP / subnet conflict.

    I go to Firewall / NAT / 1:1
    I add a mapping:

    • Interface:  IPSec

    • External subnet IP:  Same as my internal IP, but in a different subnet, as specified by the ipsec phase 2

    • Internal IP:  my internal IP

    • Destination:  the remote subnet

    • NAT reflection:  enable

    I don't see any way to confirm that the NAT is working or not.  It appears that it's not working, because when I do this, the IPSec phase 2 never comes up.  Which suggests that there is never any traffic matching the phase 2 subnet trying to get across the VPN.

    Any good ideas how to figure out why it's not working? 
    Thanks…



  • I found several threads where people are doing this via OpenVPN.  Indeed, when you create an openvpn network, you get a new virtual network adapter, ovpns1.

    I also found a thread where somebody is trying to do this with cvpn, and the answer was:  You can't.
    http://forum.pfsense.org/index.php/topic,54973.0.html
    "not possible with any version at this time, but may end up in 2.1. With all current versions, NAT has to happen on a separate system from IPsec."

    In my case, I'm trying to NAT the traffic before going across racoon ipsec.  I confirm that racoon doesn't create any virtual NIC like ovpns1 …  So unless somebody says otherwise, I'm just going to assume it's not possible and build a separate box to do the NAT.


  • LAYER 8 Global Moderator

    So I am curious how many nodes on each end of this site to site, is changing the address scheme of one side not an option?


  • Rebel Alliance Developer Netgate

    While you can do NAT+IPsec on 2.1, I'm not sure it will solve this issue. I've done this many times with OpenVPN though. Haven't tried it with NAT+IPsec yet.

    If both sides are pfSense, just ditch IPsec and use OpenVPN instead.



  • One side of the VPN is cisco, so I can't use ovpn unfortunately.  To tell the truth, there are only about a dozen or two machines in my local private network, and a bunch of those are dhcp.  So I could have actually renumbered this side of the VPN faster than working through all the details, but part of the reason to do this work is for the sake of exercise.  So I can confidently say I know how to handle VPN'ing from site to site with conflicting subnets.  It's bound to happen again.  Plus, the subnet assigned by the company is ugly.  If I have to renumber my network, I don't want to use THAT one.  ;-)

    For the time being, I've added another NIC to pfsense, using the company assigned subnet.  And I've added IP addresses in that subnet for the small number of clients that need to access the company VPN.  And configure a static route on each of the four clients that need to access the VPN.  I figure, if I need to do anything more powerful or scalable, I'll do as suggested…  Create a new pfsense box that just does NAT from the local private network to the local company network, where there are no other machines; just pfsense vpn server talking to pfsense nat box.


  • Rebel Alliance Developer Netgate

    Doing NAT on your end is only half the problem.

    Don't forget that not only does the source conflict, the destination also conflicts. Both sides must do NAT to a unique subnet (one per side) so they can contact the far side.

    x.x.x.x at site 1 and site 2 – conflict.

    x.x.x.x NATs to y.y.y.y at site 1 -- still can't talk to x.x.x.x at site 2, because it thinks it is local, so still in conflict.

    x.x.x.x NATs to y.y.y.y at site 1, x.x.x.x NATs to z.z.z.z at site 2, then x.x.x.x can reach z.z.z.z going from 1 to 2 (it looks like y.y.y.y->z.z.z.z on the tunnel), and x.x.x.x can reach y.y.y.y.


  • LAYER 8 Global Moderator

    " If I have to renumber my network, I don't want to use THAT one.  ;-)"

    Why in the world would you do that??  You just need to use a network on your end that does not conflict with theirs.

    And as jimp clearly states - when you have a conflicting networks on each side of the vpn if you can not alter one of the networks then you would have to nat on both sides.



  • Doing NAT on your end is only half the problem.

    Yup, I know.  If I have 192.168.1.x/24 at home, and the company tells me "172.29.183.x/24 is available, renumber your home network to use this."  Then if I choose to use NAT rather than actually renumbering, it means I won't be able to reach the company's 192.168.1.x/24 network, because my systems will think that's local traffic.  I would actually need to come up with another /24 network that I use destination-NAT to access the company's 192.168.1.x/24, and that's kind of annoying, because I want DNS to work.  But I'm ok with this solution overall, because the company's 192.168.1.x/24 network is way out there in nowhere land (Miami, while my work is in Boston, Raleigh, and Green Bay), contains nothing that I care about today.

    Why in the world would you do that??  You just need to use a network on your end that does not conflict with theirs.

    Correct.  But since the company has a global private network full of zillions of subnets and routers, I can't just pick whatever subnet I like and expect it not to conflict.  It's all managed, so the company needs to assign which subnet they want me to use, according to their established routing rules and stuff.  They didn't actually assign me 172.29.183.x/24 (I picked those numbers randomly for the sake of talking in a public forum.)  But the one they assigned is equally unmemorable, and as far as I can tell, equally random.  Yes I can use it, but I don't like it.  ;-)


  • LAYER 8 Global Moderator

    So do they need access to all the IPs on your side, or do need access to their side from all your IPs - curious to the need of the site to site.  A road warrior type connection from your end might be a better idea.  They can then hand you whatever IP falls works on their scheme and as long as your network doesn't overlap a segment you might need access to on their end, or you default route out the tunnel you should be able to access whatever you need on their network.

    But if they assigned you a segment, then sure you should be able to do a nat just on your end to map the segment they gave you to your IPs.



  • I have a small number of clients (2) that need access to company internal network.  We started with the mobile VPN solution, which I agree makes the most sense.  (For a number of reasons, including I can be mobile and work while travelling).  Unfortunately, the company has a large infrastructure of site-vpn's, and no mobile vpn solution.  (It's intended just for network maintenance work, amongst the IT people.)  So there's a vpn limitation that nobody cared about before, that prevents me from working …  I can vpn in, and I can access anything directly connected to a LAN where the vpn server is.  But if I need to hop over a router in order to reach a subnet that's not locally attached to the vpn server, that requires an IOS upgrade and some licensing feature that we don't have, which means waiting for a company wide scheduled maintenance window to take down one of the routers at one of the core sites ...  All to support a feature just for me.  So the conclusion was:  I'm an IT guy.  Expert at building VPN's.  Let's just make my home office another site-vpn.  Workaround the hairpin routing problem.  Run into some other routing problems, but those are scoped and isolated to me.  Well within my control without corporate network disruption.


  • LAYER 8 Global Moderator

    Well if you have a network segment that is assigned to you, and you just don't want to use that IP range…  I don't see why you couldn't just nat it on your side.  To them your IPs just look like the ones they assigned you, your doing the nat on your end.

    Seems like more work than just changing your IP space to match up with what they want to give you ;)

    What does it matter what your IPs are?  Does it matter if your IP is 172.16.234.14 or 192.168.1.14 or 10.0.0.14 ?  You should be able to keep your last octets the same, and just replace the network with what they gave you.

    We NAT up the yingyang here and I hate it!!  I hate NATS! ;)  But we have so many different customers with so many different networks we have to NAT them..  My joke when troubleshooting issues here is we don't have enough nats in the path, lets add some - that will fix it ;)  If you don't have 3+ nats something is not right ;)

    Take the easy road dude - just change your local/home network IP range ;)


  • Rebel Alliance Developer Netgate

    I don't see why you couldn't just nat it on your side.

    See my previous post.

    If his LAN is x.x.x.x and their LAN is x.x.x.x it doesn't matter what he does on his end, he still can't talk to x.x.x.x at the corporate side because his PC will think it's on the local network segment and try to ARP for it.

    You can't have a conflict in either direction, one sided NAT doesn't help overcome the overlap.

    Take the easy road dude - just change your local/home network IP range

    Agreed. Especially if you have no control over the other network.


  • LAYER 8 Global Moderator

    ^ agreed – but that is only an issue if he has an overlap.  Lets say he uses 192.168.1.0/24 on his side and they gave him 172.16.144.0/24 to use.

    He could 1:1 NAT that to his 192.168.1.0/24 IPs -- so as long as he doesn't need to access a 192.168.1.0/24 address on their side he should be fine.

    Seems he just wants to nat because he does not like the IP space they gave him to work with ;)  As long as they don't use his ip space on their side that HE needs to get to, he should be ok with just a 1 sided nat.



  • The main reason I don't want to change my IP range at home is because I am a geek.  I have about a dozen or two devices (depending on what you count.)  About half of them are dhcp, while the other half are servers.  I have two windows AD domains, a virtualization infrastructure, redundant dns servers and dhcp servers, I serve an openvpn mobile vpn server for when I'm on the road and want to VPN into my house.  I have site-vpn's with other companies, where I would need to reconfigure both my pfsense, and also other companies' firewalls in order to accommodate the IP change, etc blah, etc blah.

    I estimate renumbering my home to be around 1 day of work.  I am, in and of myself, a small company.

    In any event, I think this thread is done.  The conclusions are:

    • At present in 2.0.5, pfsense can't do NAT before IPSec vpn, but it can for ovpn, and it might be able to do NAT before ipsec when 2.1 gets released

    • If I need to do the NAT before VPN at present, I can daisy chain two pfsense firewalls.  Let one handle the VPN, let the other handle NAT

    • I was actually able to workaround, by adding a NIC to pfsense.  Assign an IP on a subnet that doesn't overlap my internal LAN, and put both subnets onto the same wire.  (would have been even better, if I had a separate LAN or vlan).  So I don't VPN directly from the LAN to the remote side - Any internal machines at my end that need the VPN shall have a second IP address in the second subnet, and a static route to reach the VPN via this second subnet.  I'm currently using this solution, it works.

    Thanks everyone for your help and suggestions and ideas.


Log in to reply