• hello everybody,

    I'm new to the forum and also new to pfSense.
    I have 3 different network I notes Site A, Site B and Site C which is 2 Site A and B are under my responsibilities are connected using IPSec in pfSense (A ( and B 192.168 .10.0/24.) Then I was given a configuration to communicate with Site C whose range is
    In short:

    ( Site <======pfSense ======> Site B ( and site B <=== SSL VPN =====> Site C (

    My question is if it is possible to establish a NAT before IPSec for communication from Site B to Site A since I have no hands on the firewall of the Site C.
    It is noted that the Site A and C have the same address range ( and are unable to change.
    Do you have any documents or ideas?


  • There's plenty of stuff to read if you Google the scenario. However, your best bet would be to change the range of the network you do have access to. You're going to run in to a whole lot of problems otherwise (for example, are you trying to talk to on your local network or the remote site?).

  • The easiest way to do this would be having Site C's admin NAT hit network through the SSL tunnel. That way both of your sites can point to the arbitrary address space you decide on.

    The best way is to redesign your network, and get off of the space all together, especially…. Everyone and their mother uses that /24 network.

    Try to move to something in the space... Lots of room there.

  • I'm googling a have to try a many many tutorial.So, have you a documentation to config how to NAT entire subnet and how to nat before IPSec in pfSense?


  • In 2.1, It's just a field in the phase2. You should be able to nat the connection from B to A easily.
    site C phase2
    local net
    nat net
    remote net

    site B phase2
    local net
    remote net

  • Happy new years.

    Thanks for your reply.

    Site C is not a pfSense box and I've not access to this.
    So, how can I configure the site A (pfSense v.2.1) and B (pfSense v 2.1) phase 2 in the IPSec configuration and how to nat the subnet to for example?

    Please, help me.

    Thanks a lot

  • Hello,

    I just succeed configuring NAT before IPSec.
    I can send you my setup if you want.


  • I mislabeled site A as C in that explanation. Sorry. I guess you figured it out anyway.

  • HiVononka,

    I have the same problem im my office. Site A and site B have the same network address. Could you help me sending your configuration. I'm using 2.1 pfsense release.

    Thanks in advance.

  • Hi,

    1 - Create a virtual IP address on both firewall ( for and to
    2 - Go to VPN> IPsec menu. After you have configured phase 1, create the negotiation phase2.
    3- Restart racoon
    4 - insert a route on the pc (eg route add-net gw YOUR_GW)


  • Thanks a Lot.

    I'll try this configuration.


  • Hi Vononka,

    Did you have to set 1:1 or Outbound Nat configuration?

    When you send a package from Site A to Site B, what is the src ip when this package arrive at site B host?

    I'm sorry for my english.

  • Hi,
    No, but the subnet is nated to and in 10.10.10/24.
    the virtual IP and the subnet must have the same netmask.


  • Thanks a lot.
    I'll try this configuration today. After all I'll send news.


  • Hi,

    I've tried setup configuration as sugested, but this didn't work  :'(.

    My B side is a ipcop firewall and I tried establish vpn connection with site A using as remote address On A site I configured Local Network wih and Nat/BitNat with

    On B site, the vpn status is Ok, but on PfSense (Site A) the VPN connection is down, although there are logs registering connection established.

    I'm attaching my actual configuration and log files on both sites. Does anyone has any idea why my Site A ( package does not arrive at site B ( with address?

    Thanks a lot for help me.

  • What about your configuration between Site A and Site C? Did you establish connection?
    In your original post you described that site A and Site C have the same CIDR. In this case did you have to Nat your Site A address to arive in site C with other network address?

    I'm sorry for the inconvenience.

  • Hello,

    I succeed establish NAT before IPSec on Both sides.

    I think the problem is with IPCOP. When I configure IPSEC VPN between 2 pfsenses (Site A 2.1 and site B 2.0.3), vpn works fine and all packages sent by site A arrives at Site B with address. I'll check IPCOP documentation.

    Thanks everyone for help me.

  • Hello,

    I succeed establish NAT before IPSec on Both sides without problem.  :D

    The problem was on my IPCOP on Site B. My firewall established connection on SonicWall using Nat Over Ipsec.

    Thanks everyone for help me.

  • On your VIP you create, I assume you used a Localhost IP Alias?

  • You shouldn't need to create VIPs or routes. You can set the NAT network directly in your phase2.

  • Understood dotdash but Andry Vononka states he created a VIP and I was curious on that point. I am trying to do this with NAT to NAT on two externals and was curious if he used the VIP to point the traffic. I understand it 'SHOULD' work they way you stated and I agree but it's not. When I originate traffic from the internal network pointing to the IP of the local network on the other side of the tunnel, which is also a NAT'd external address it doesn't send the traffic down the tunnel. This is what it looks like….

    Customer Server (I do not use this as they NAT everything to
    Customer NAT (assume internet routable IP)
    Customer Gateway (assume internet routable IP)
    My Gateway (assume internet routable IP)
    My NAT (assume internet routable IP)
    My Server (Customer does not see this address as I NAT everything to

    The tunnel comes up just fine but can't seem to get traffic to route from to as I should be able to. Note when it arrives on it should look like it's coming from via the NAT from out side.

    Any help is welcome in advance, thanks!

  • Does the partner require you to nat to a public ip? I usually use this where there are overlapping subnets and use a different private. e.g. real lan nat network (the other side sees the 10.4.5 instead of 192.168.1)

  • I used with network address only. Eg. to