NAT OpenVPN Traffic Before IPSec
-
Hello Everyone,
I am a pleased customer of pfsense. It does all the magic I don't need to worry about until this problem occured:
Consider this scenario:
Main LAN Subnet: 192.168.180.0/24
IPSec Tunnels: 129.10.3.0/24 and two more.
OpenVPN Client Subnet: 10.0.0.0/24I need to NAT OpenVPN traffic to 192.168.180.0/24 before passing through IPSec however only for traffic that targets IPSec networks.
For instance 192.168.180.0/24 will not NAT as 192.168.180.0/24 but 129.10.3.0/24 will NAT as 192.168.180.0/24.
I remember doing this with Endian firewall but it seems that's a lot more complicated to do so with PFSense.
I already pushed the routes to OpenVPN to the IPSec networks, only NAT remains.
I tried playing around with Manual Outbound NAT but I don't know how to configure it properly and it seems that whenever I turn off Automatic Outbound NAT the IPSec traffic stops working.
Can anyone help me on this?
Thank You,
Paul Csiki. -
I have created manual NAT rules but they just won't work. OpenVPN traffic doesn't get translated to the subnet I pick.
My rules is:
Interface: OpenVPN
Source: 10.0.0.0/24
Source Port: *
Destination: 192.168.180.0/24
Destination Port: *
Translate To: 192.168.180.0/24
NAT Port: *
Static: NOBut when I capture traffic on the OpenVPN interface I still see the OpenVPN IPs:
09:35:25.334625 IP (tos 0x0, ttl 128, id 779, offset 0, flags [DF], proto TCP (6), length 514) 10.0.0.26.1501 > 192.168.180.1.443: Flags [P.], cksum 0x3788 (correct), seq 123259017:123259491, ack 2592290764, win 4076, length 474 09:35:25.334705 IP (tos 0x0, ttl 64, id 34568, offset 0, flags [DF], proto TCP (6), length 40) 192.168.180.1.443 > 10.0.0.26.1501: Flags [.], cksum 0x836b (correct), seq 1, ack 474, win 514, length 0
Am I doing something wrong?
-
NAT+IPsec won't work together in that way.
Even on 2.1 where you can do NAT+IPsec in the Phase 2 settings, I'm not sure you can cover that exact scenario.
Why not just add another Phase 2 to the IPsec tunnel to cover the OpenVPN subnet? That would be the simplest solution, if the other side will let you.
-
Hello,
Thank you for your reply. The other side will not permit another P2 tunnel. I have created a second OpenVPN server that lies under the same subnet used by the existing P2 tunnel of IPSec and it seems to be working this way.