Help with NAT+IPsec on 2.1

  • Hi all, I have a problem with NAT before IpSec… using 2.1.
    I'm trying to NAT to a single address, but if i tcpdump on enc0 I see the packet coming from not-natted address. Maybe I have to define the NAT address in Virtual IPs or something else that i forgot?

    The tunnel goes UP correctly but there is something in phase2/nat that doesnt work like expected.

    I try to explain scenario:
    My pfSense box: (CARP ADDRESS)

    192.168.72.x -> pfSense2.1-with-tunnel-ipsec -> nat to -> send throught tunnel -> reach network 192.168.33.x

    The remote endpoint only accept packets from

    If I use tcpdump, i see that address is not translated like this:
    --> 08:29:35.981852 (authentic,confidential): SPI 0x0d5e5937: IP > ICMP echo request, id 1874, seq 1, length 64

    If I look on nat table I see the correct rule:
    --> nat on enc0 inet from to ->

    Last info... I'm using CARP in LAN and in WAN interfaces

    Any ideas?

  • –UPDATE--

    Ok, the configuration is correct and now is working correctly.

    The only thing that's is fuorviating is the tcpdump result. The remote endpoint see the correct natted ip, but tcpdump on enc0 shows the not-natted ip.

  • Hi, can you say me how it's your configuration?

    I'm having some troubles.
    I have a IPsec VPN working correctly, now i've to create two IPsec VPN with outbound NAT, but it doesn't work. I'm going mad!

    My configuration is:

    Pfsense 2.1 with public IP on WAN interface

    LAN interface with that I've to nat with network

    I've tryed to put this network in the phase 2 configuration and in the outbound NAT rules, but I alway get the same error in phase2 Can you please help me?

  • I also put as the IP alias on the LAN's firewall IP

  • dottorkame

    I did the same, without success…

    Unfortunately I need to solve my problem (for while) with a linux box making a NAT before the pfSense LAN interface.
    So, I'll try a new installation of pfSense, in a new test enviroment.

    and (everybody) sorry for posting the same subject in another post, only after read more carefully i saw the problem is common to many others.


  • Hi all, my enviroment is a little different. In my conf I nat to a single address. Is a "one-way" configuration.

    I never tested the configuration with the bi-nat. (nat of entire network)

    I confirm that works fine, with nat on single addres, and a fortinet gateway on the other side.
    I add that works fine with 2 phase2, with different source networks. This is needed to grant access also from openvpn roaming users.

    Can I help you little more if you send the real configuration and the log with racoon in debug mode.



Log in to reply