Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT on IPSec tunnel

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    4 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      athurdent
      last edited by

      Could we have an option to write the IPSec NAT rule ourselves?
      I need to replace a setup where my local tunnel net is a /24 but I need to do NAT behind a /32 IP from that net.
      To test if NAT on IPSec is working at all, I set up a test environment:
      192.168.124.0/24 is the local tunnel net, 172.16.0.0/12 is the other side. 192.168.102.0/24 is the real LAN.
      I have set up my remote device to use those nets.
      On my local pfSense choosing 192.168.124.1 as NAT address, the IPSec tunnel is build between 192.168.124.1/32 and 172.16.0.0/12. My test remote gateway will accept this, but the real life set-up I need to replace is not that flexible.
      When choosing 192.168.124.0/24, the IPSec tunnel is correctly build between 192.168.124.0/24 and 172.16.0.0/12. But an automatic BINAT rule is created that NATs the whole net:

      binat on enc0 from 192.168.102.0/24 to 172.16.0.0/12 -> 192.168.124.0/24

      I just need a rule like this:

      nat on enc0 from 192.168.102.0/24 to 172.16.0.0/12 -> 192.168.124.1

      How would I get that?

      While testing I also found 2 bugs:

      If you define the LAN as 192.168.102.0/23 then the following rule is auto-created and the ruleset won't load:

      binat on enc0 from 192.168.102.0/23 to 172.16.0.0/12 -> 192.168.124.0/24

      When disabling Phase 1 & 2 the automatic NAT rule for enc0 is not deleted, this might cause problems for some people:

      nat on enc0 from 192.168.102.0/24 to 172.16.0.0/12 -> 192.168.124.0/24

      just stays there.

      1 Reply Last reply Reply Quote 0
      • E Offline
        eri--
        last edited by

        Normally setup as local net 192.168.0/24 NAT 192.168.124.1 and remote 172.16.0.0/12

        It should generate the nat rule you want like that.

        1 Reply Last reply Reply Quote 0
        • A Offline
          athurdent
          last edited by

          Hi Ermal,
          thanks for looking into this. The problem is that the other side expects the tunnel to be built with 192.168.124.0/24. When I put 192.168.124.1 there, the tunnel is build between 192.168.124.1/32 and 172.16.0.0/12. While my test setup - which has defined 192.168.124.0/24 for my side of the tunnel - has no problem doing this, the real set up does not seem to accept 192.168.124.1/32 instead of 192.168.124.0/24 for my side of the tunnel…
          Could I put 192.168.124.1/24 as NAT address? Would that build a tunnel with 192.168.124.0/24 and create a NAT rule with just 192.168.124.1/32?

          1 Reply Last reply Reply Quote 0
          • E Offline
            eri--
            last edited by

            No it does not work that way.
            What you are trying to do is something not possible in pfSense.

            Usually some firewalls have an option to NAT before IPSec VPN which is not supported by pfSense.

            You either NAT or not the whole thing.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.