NAT OpenVPN Traffic Before IPSec



  • Hello Everyone,

    I am a pleased customer of pfsense. It does all the magic I don't need to worry about until this problem occured:

    Consider this scenario:

    Main LAN Subnet: 192.168.180.0/24
    IPSec Tunnels: 129.10.3.0/24 and two more.
    OpenVPN Client Subnet: 10.0.0.0/24

    I need to NAT OpenVPN traffic to 192.168.180.0/24 before passing through IPSec however only for traffic that targets IPSec networks.

    For instance 192.168.180.0/24 will not NAT as 192.168.180.0/24 but 129.10.3.0/24 will NAT as 192.168.180.0/24.

    I remember doing this with Endian firewall but it seems that's a lot more complicated to do so with PFSense.

    I already pushed the routes to OpenVPN to the IPSec networks, only NAT remains.

    I tried playing around with Manual Outbound NAT but I don't know how to configure it properly and it seems that whenever I turn off Automatic Outbound NAT the IPSec traffic stops working.

    Can anyone help me on this?

    Thank You,
    Paul Csiki.



  • I have created manual NAT rules but they just won't work. OpenVPN traffic doesn't get translated to the subnet I pick.

    My rules is:

    Interface: OpenVPN
    Source: 10.0.0.0/24
    Source Port: *
    Destination: 192.168.180.0/24
    Destination Port: *
    Translate To: 192.168.180.0/24
    NAT Port: *
    Static: NO

    But when I capture traffic on the OpenVPN interface I still see the OpenVPN IPs:

    09:35:25.334625 IP (tos 0x0, ttl 128, id 779, offset 0, flags [DF], proto TCP (6), length 514)
        10.0.0.26.1501 > 192.168.180.1.443: Flags [P.], cksum 0x3788 (correct), seq 123259017:123259491, ack 2592290764, win 4076, length 474
    09:35:25.334705 IP (tos 0x0, ttl 64, id 34568, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.180.1.443 > 10.0.0.26.1501: Flags [.], cksum 0x836b (correct), seq 1, ack 474, win 514, length 0
    

    Am I doing something wrong?


  • Rebel Alliance Developer Netgate

    NAT+IPsec won't work together in that way.

    Even on 2.1 where you can do NAT+IPsec in the Phase 2 settings, I'm not sure you can cover that exact scenario.

    Why not just add another Phase 2 to the IPsec tunnel to cover the OpenVPN subnet? That would be the simplest solution, if the other side will let you.



  • Hello,

    Thank you for your reply. The other side will not permit another P2 tunnel. I have created a second OpenVPN server that lies under the same subnet used by the existing P2 tunnel of IPSec and it seems to be working this way.


Locked