NAT on IPSec tunnel
-
Could we have an option to write the IPSec NAT rule ourselves?
I need to replace a setup where my local tunnel net is a /24 but I need to do NAT behind a /32 IP from that net.
To test if NAT on IPSec is working at all, I set up a test environment:
192.168.124.0/24 is the local tunnel net, 172.16.0.0/12 is the other side. 192.168.102.0/24 is the real LAN.
I have set up my remote device to use those nets.
On my local pfSense choosing 192.168.124.1 as NAT address, the IPSec tunnel is build between 192.168.124.1/32 and 172.16.0.0/12. My test remote gateway will accept this, but the real life set-up I need to replace is not that flexible.
When choosing 192.168.124.0/24, the IPSec tunnel is correctly build between 192.168.124.0/24 and 172.16.0.0/12. But an automatic BINAT rule is created that NATs the whole net:binat on enc0 from 192.168.102.0/24 to 172.16.0.0/12 -> 192.168.124.0/24
I just need a rule like this:
nat on enc0 from 192.168.102.0/24 to 172.16.0.0/12 -> 192.168.124.1
How would I get that?
While testing I also found 2 bugs:
If you define the LAN as 192.168.102.0/23 then the following rule is auto-created and the ruleset won't load:
binat on enc0 from 192.168.102.0/23 to 172.16.0.0/12 -> 192.168.124.0/24
When disabling Phase 1 & 2 the automatic NAT rule for enc0 is not deleted, this might cause problems for some people:
nat on enc0 from 192.168.102.0/24 to 172.16.0.0/12 -> 192.168.124.0/24
just stays there.
-
Normally setup as local net 192.168.0/24 NAT 192.168.124.1 and remote 172.16.0.0/12
It should generate the nat rule you want like that.
-
Hi Ermal,
thanks for looking into this. The problem is that the other side expects the tunnel to be built with 192.168.124.0/24. When I put 192.168.124.1 there, the tunnel is build between 192.168.124.1/32 and 172.16.0.0/12. While my test setup - which has defined 192.168.124.0/24 for my side of the tunnel - has no problem doing this, the real set up does not seem to accept 192.168.124.1/32 instead of 192.168.124.0/24 for my side of the tunnel…
Could I put 192.168.124.1/24 as NAT address? Would that build a tunnel with 192.168.124.0/24 and create a NAT rule with just 192.168.124.1/32? -
No it does not work that way.
What you are trying to do is something not possible in pfSense.Usually some firewalls have an option to NAT before IPSec VPN which is not supported by pfSense.
You either NAT or not the whole thing.