Ipsec with NAT

  • Hi Everybody,

    I have a pfsense server with 2 ipsec VPNs working fine.
    But, last days I'm in trouble, 'cause the third Vpn doesn't work, correcting: work with no NAT.
    Trying NAT Outbound or nat 1:1 the ipsec don't create the tunnels.
    And reading some topics I saw "the pfSense 2.1 with NAT before ipSec".
    The versions before this, doesn't make NAT ? Version 2.03 doesn't make nat ?

    My pfSense version is: 2.0.3-RELEASE (i386)

    Thanks a Lot.


  • Hi,
    I updated the version of my pfsense to the 2.1.
    But the problem persist.
    The LAN IP is 192.168.a.b/24
    and the ipsec tunnel is:
    10.x.y.z/27 - > 200.x.y.0/24
    10.x.y.z/27 - > 200.x.z.0/24
    10.x.y.z/27 - > 177.x.y.0/24
    10.x.y.z/27 - > 177.x.z.0/24

    So, the host 192.168.a.b/32 need to be NATed to 10.x.y.z/32 to reach the host (any) at 200.x.y.z/32
    If I put the address 10.x.y.z/ at the if of the workstation works fine (phase1 and phase2, and I can access the remote host)

    But accessing from 192.168.a.b/32 doesn't.

    I've created NAT like this:
    source 192.168.a.b/24 - dest 200.x.y.0/24 if ipSec - translation 10.x.y.65 (virtual ip, from the 10.x.y.z/27)
    source 192.168.a.b/24 - dest 200.x.y.0/24 if LAN - translation 10.x.y.65 (virtual ip, from the 10.x.y.z/27)
    Of course, I put in the routing the ip 10.x.y.65 as a gateway.

    With this config of NAT the tunnel don't start.

    Someone have some tip, or can see what is wrong ?
    I think there is an error in config, but I can't see how to do the NAT in the if LAN before to ipSec…

    I hope you understand my explain.

    Thanks a lot

  • I have a similar problem.
    My LAN subnet is
    gateway is: pfsense 2.1-RELEASE
    local gateway ip is:
    remote ipsec gateway ip is: 216.200.x.1

    I had already configured ipsec tunnel phase1: WAN <-> 216.200.x.1
    phase2: <-> 216.200.x.5
    Status is up.
    But I can`t ping 216.200.x.5. Traceroute traffic goes through my WAN (Internet), but not through ipsec tunnel. I tried a lot of configuration options, but the result is bad.

    1. What is my mistake?
    2. How can I access 216.200.x.5 from local ip e.g.

    Please help me!

  • dimmon,

    looks like your remote gateway and remote lan are on the same network (ie 216.200.x.0/24).
    Another strange thing is the remote host you want to connect to is a public IP (216.200.x.5) which you could connect to directly without IPSEC.

    I think your setup should be something like this

      local_lan   <-->  local_gw    pfsense  local_public_ip  <--> remote_public_ip  remote_router  remote_gw  <--> remote_lan             ?.?.?.?               216.200.x.1                     x.x.x.x        x.x.x.0/24

Log in to reply