NAT OpenVPN Traffic Before IPSec
I am a pleased customer of pfsense. It does all the magic I don't need to worry about until this problem occured:
Consider this scenario:
Main LAN Subnet: 192.168.180.0/24
IPSec Tunnels: 126.96.36.199/24 and two more.
OpenVPN Client Subnet: 10.0.0.0/24
I need to NAT OpenVPN traffic to 192.168.180.0/24 before passing through IPSec however only for traffic that targets IPSec networks.
For instance 192.168.180.0/24 will not NAT as 192.168.180.0/24 but 188.8.131.52/24 will NAT as 192.168.180.0/24.
I remember doing this with Endian firewall but it seems that's a lot more complicated to do so with PFSense.
I already pushed the routes to OpenVPN to the IPSec networks, only NAT remains.
I tried playing around with Manual Outbound NAT but I don't know how to configure it properly and it seems that whenever I turn off Automatic Outbound NAT the IPSec traffic stops working.
Can anyone help me on this?
I have created manual NAT rules but they just won't work. OpenVPN traffic doesn't get translated to the subnet I pick.
My rules is:
Source Port: *
Destination Port: *
Translate To: 192.168.180.0/24
NAT Port: *
But when I capture traffic on the OpenVPN interface I still see the OpenVPN IPs:
09:35:25.334625 IP (tos 0x0, ttl 128, id 779, offset 0, flags [DF], proto TCP (6), length 514) 10.0.0.26.1501 > 192.168.180.1.443: Flags [P.], cksum 0x3788 (correct), seq 123259017:123259491, ack 2592290764, win 4076, length 474 09:35:25.334705 IP (tos 0x0, ttl 64, id 34568, offset 0, flags [DF], proto TCP (6), length 40) 192.168.180.1.443 > 10.0.0.26.1501: Flags [.], cksum 0x836b (correct), seq 1, ack 474, win 514, length 0
Am I doing something wrong?
NAT+IPsec won't work together in that way.
Even on 2.1 where you can do NAT+IPsec in the Phase 2 settings, I'm not sure you can cover that exact scenario.
Why not just add another Phase 2 to the IPsec tunnel to cover the OpenVPN subnet? That would be the simplest solution, if the other side will let you.
Thank you for your reply. The other side will not permit another P2 tunnel. I have created a second OpenVPN server that lies under the same subnet used by the existing P2 tunnel of IPSec and it seems to be working this way.