Ipsec with NAT
jleandro last edited by
I have a pfsense server with 2 ipsec VPNs working fine.
But, last days I'm in trouble, 'cause the third Vpn doesn't work, correcting: work with no NAT.
Trying NAT Outbound or nat 1:1 the ipsec don't create the tunnels.
And reading some topics I saw "the pfSense 2.1 with NAT before ipSec".
The versions before this, doesn't make NAT ? Version 2.03 doesn't make nat ?
My pfSense version is: 2.0.3-RELEASE (i386)
Thanks a Lot.
jleandro last edited by
I updated the version of my pfsense to the 2.1.
But the problem persist.
The LAN IP is 192.168.a.b/24
and the ipsec tunnel is:
10.x.y.z/27 - > 200.x.y.0/24
10.x.y.z/27 - > 200.x.z.0/24
10.x.y.z/27 - > 177.x.y.0/24
10.x.y.z/27 - > 177.x.z.0/24
So, the host 192.168.a.b/32 need to be NATed to 10.x.y.z/32 to reach the host (any) at 200.x.y.z/32
If I put the address 10.x.y.z/255.255.255.224 at the if of the workstation works fine (phase1 and phase2, and I can access the remote host)
But accessing from 192.168.a.b/32 doesn't.
I've created NAT like this:
source 192.168.a.b/24 - dest 200.x.y.0/24 if ipSec - translation 10.x.y.65 (virtual ip, from the 10.x.y.z/27)
source 192.168.a.b/24 - dest 200.x.y.0/24 if LAN - translation 10.x.y.65 (virtual ip, from the 10.x.y.z/27)
Of course, I put in the routing the ip 10.x.y.65 as a gateway.
With this config of NAT the tunnel don't start.
Someone have some tip, or can see what is wrong ?
I think there is an error in config, but I can't see how to do the NAT in the if LAN before to ipSec…
I hope you understand my explain.
Thanks a lot
dimmon last edited by
I have a similar problem.
My LAN subnet is 10.20.30.0/24
gateway is: pfsense 2.1-RELEASE
local gateway ip is: 10.20.30.40
remote ipsec gateway ip is: 216.200.x.1
I had already configured ipsec tunnel phase1: WAN <-> 216.200.x.1
phase2: 10.20.30.40 <-> 216.200.x.5
Status is up.
But I can`t ping 216.200.x.5. Traceroute traffic goes through my WAN (Internet), but not through ipsec tunnel. I tried a lot of configuration options, but the result is bad.
- What is my mistake?
- How can I access 216.200.x.5 from local ip e.g. 10.20.30.2?
Please help me!
corradolab last edited by
looks like your remote gateway and remote lan are on the same network (ie 216.200.x.0/24).
Another strange thing is the remote host you want to connect to is a public IP (216.200.x.5) which you could connect to directly without IPSEC.
I think your setup should be something like this
local_lan <--> local_gw pfsense local_public_ip <--> remote_public_ip remote_router remote_gw <--> remote_lan 10.20.30.0/24 10.20.30.40 ?.?.?.? 216.200.x.1 x.x.x.x x.x.x.0/24