NAT OpenVPN Traffic Before IPSec

  • Hello Everyone,

    I am a pleased customer of pfsense. It does all the magic I don't need to worry about until this problem occured:

    Consider this scenario:

    Main LAN Subnet:
    IPSec Tunnels: and two more.
    OpenVPN Client Subnet:

    I need to NAT OpenVPN traffic to before passing through IPSec however only for traffic that targets IPSec networks.

    For instance will not NAT as but will NAT as

    I remember doing this with Endian firewall but it seems that's a lot more complicated to do so with PFSense.

    I already pushed the routes to OpenVPN to the IPSec networks, only NAT remains.

    I tried playing around with Manual Outbound NAT but I don't know how to configure it properly and it seems that whenever I turn off Automatic Outbound NAT the IPSec traffic stops working.

    Can anyone help me on this?

    Thank You,
    Paul Csiki.

  • I have created manual NAT rules but they just won't work. OpenVPN traffic doesn't get translated to the subnet I pick.

    My rules is:

    Interface: OpenVPN
    Source Port: *
    Destination Port: *
    Translate To:
    NAT Port: *
    Static: NO

    But when I capture traffic on the OpenVPN interface I still see the OpenVPN IPs:

    09:35:25.334625 IP (tos 0x0, ttl 128, id 779, offset 0, flags [DF], proto TCP (6), length 514) > Flags [P.], cksum 0x3788 (correct), seq 123259017:123259491, ack 2592290764, win 4076, length 474
    09:35:25.334705 IP (tos 0x0, ttl 64, id 34568, offset 0, flags [DF], proto TCP (6), length 40) > Flags [.], cksum 0x836b (correct), seq 1, ack 474, win 514, length 0

    Am I doing something wrong?

  • Rebel Alliance Developer Netgate

    NAT+IPsec won't work together in that way.

    Even on 2.1 where you can do NAT+IPsec in the Phase 2 settings, I'm not sure you can cover that exact scenario.

    Why not just add another Phase 2 to the IPsec tunnel to cover the OpenVPN subnet? That would be the simplest solution, if the other side will let you.

  • Hello,

    Thank you for your reply. The other side will not permit another P2 tunnel. I have created a second OpenVPN server that lies under the same subnet used by the existing P2 tunnel of IPSec and it seems to be working this way.