NAT before IPSec
I'm new to the forum and also new to pfSense.
I have 3 different network I notes Site A, Site B and Site C which is 2 Site A and B are under my responsibilities are connected using IPSec in pfSense (A (192.168.1.0/24 and B 192.168 .10.0/24.) Then I was given a configuration to communicate with Site C whose range is 192.168.1.0/24.
(192.168.1.0/24) Site <======pfSense ======> Site B (192.168.10.0/24) and site B <=== SSL VPN =====> Site C (192.168.1.0/24).
My question is if it is possible to establish a NAT before IPSec for communication from Site B to Site A since I have no hands on the firewall of the Site C.
It is noted that the Site A and C have the same address range (192.168.1.0/24) and are unable to change.
Do you have any documents or ideas?
timthetortoise last edited by
There's plenty of stuff to read if you Google the scenario. However, your best bet would be to change the range of the network you do have access to. You're going to run in to a whole lot of problems otherwise (for example, are you trying to talk to 192.168.1.5 on your local network or the remote site?).
MikeX last edited by
The easiest way to do this would be having Site C's admin NAT hit network through the SSL tunnel. That way both of your sites can point to the arbitrary address space you decide on.
The best way is to redesign your network, and get off of the 192.168.0.0 space all together, especially 192.168.1.0/24…. Everyone and their mother uses that /24 network.
Try to move to something in the 10.0.0.0/8 space... Lots of room there.
I'm googling a have to try a many many tutorial.So, have you a documentation to config how to NAT entire subnet and how to nat before IPSec in pfSense?
In 2.1, It's just a field in the phase2. You should be able to nat the connection from B to A easily.
site C phase2
local net 192.168.1.0/24
nat net 10.10.10.0/24
remote net 192.168.10.0/24
site B phase2
local net 192.168.10.0/24
remote net 10.10.10.0/24
Happy new years.
Thanks for your reply.
Site C is not a pfSense box and I've not access to this.
So, how can I configure the site A (pfSense v.2.1) and B (pfSense v 2.1) phase 2 in the IPSec configuration and how to nat the subnet 192.168.1.0/24 to 10.10.1.0/24 for example?
Please, help me.
Thanks a lot
I just succeed configuring NAT before IPSec.
I can send you my setup if you want.
I mislabeled site A as C in that explanation. Sorry. I guess you figured it out anyway.
I have the same problem im my office. Site A and site B have the same network address. Could you help me sending your configuration. I'm using 2.1 pfsense release.
Thanks in advance.
1 - Create a virtual IP address on both firewall (192.168.1.0 for 10.10.1.0/24 and 10.10.10.0/24 to 192.168.10.0/24)
2 - Go to VPN> IPsec menu. After you have configured phase 1, create the negotiation phase2.
3- Restart racoon
4 - insert a route on the pc (eg route add-net 10.10.10.0/24 gw YOUR_GW)
Thanks a Lot.
I'll try this configuration.
Did you have to set 1:1 or Outbound Nat configuration?
When you send a package from Site A to Site B, what is the src ip when this package arrive at site B host?
I'm sorry for my english.
No, but the subnet 192.168.1.0/24 is nated to 10.10.1.0/24 and 192.168.10.0/24 in 10.10.10/24.
the virtual IP and the subnet must have the same netmask.
Thanks a lot.
I'll try this configuration today. After all I'll send news.
I've tried setup configuration as sugested, but this didn't work :'(.
My B side is a ipcop firewall and I tried establish vpn connection with site A using as remote address 172.16.24.0/24. On A site I configured Local Network wih 192.168.1.0/24 and Nat/BitNat with 172.16.24.0/24.
On B site, the vpn status is Ok, but on PfSense (Site A) the VPN connection is down, although there are logs registering connection established.
I'm attaching my actual configuration and log files on both sites. Does anyone has any idea why my Site A (192.168.1.0) package does not arrive at site B (10.1.1.0) with 184.108.40.206 address?
Thanks a lot for help me.
What about your configuration between Site A and Site C? Did you establish connection?
In your original post you described that site A and Site C have the same CIDR. In this case did you have to Nat your Site A address to arive in site C with other network address?
I'm sorry for the inconvenience.
I succeed establish NAT before IPSec on Both sides.
I think the problem is with IPCOP. When I configure IPSEC VPN between 2 pfsenses (Site A 2.1 and site B 2.0.3), vpn works fine and all packages sent by site A arrives at Site B with 172.16.24.0 address. I'll check IPCOP documentation.
Thanks everyone for help me.
I succeed establish NAT before IPSec on Both sides without problem. :D
The problem was on my IPCOP on Site B. My firewall established connection on SonicWall using Nat Over Ipsec.
Thanks everyone for help me.
shadokin last edited by
On your VIP you create, I assume you used a Localhost IP Alias?
You shouldn't need to create VIPs or routes. You can set the NAT network directly in your phase2.
shadokin last edited by
Understood dotdash but Andry Vononka states he created a VIP and I was curious on that point. I am trying to do this with NAT to NAT on two externals and was curious if he used the VIP to point the traffic. I understand it 'SHOULD' work they way you stated and I agree but it's not. When I originate traffic from the internal network pointing to the IP of the local network on the other side of the tunnel, which is also a NAT'd external address it doesn't send the traffic down the tunnel. This is what it looks like….
Customer Server 10.200.1.122 (I do not use this as they NAT everything to 220.127.116.11)
Customer NAT 18.104.22.168 (assume internet routable IP)
Customer Gateway 22.214.171.124 (assume internet routable IP)
My Gateway 126.96.36.199 (assume internet routable IP)
My NAT 188.8.131.52 (assume internet routable IP)
My Server 192.168.20.67 (Customer does not see this address as I NAT everything to 184.108.40.206
The tunnel comes up just fine but can't seem to get traffic to route from 192.168.20.67 to 220.127.116.11 as I should be able to. Note when it arrives on 18.104.22.168 it should look like it's coming from 22.214.171.124 via the NAT from out side.
Any help is welcome in advance, thanks!
Does the partner require you to nat to a public ip? I usually use this where there are overlapping subnets and use a different private. e.g. 192.168.1.0/24 real lan nat network 10.4.5.0/24 (the other side sees the 10.4.5 instead of 192.168.1)
I used with network address only. Eg. 192.168.10.0/24 to 192.168.5.0/24.