Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT before IPSec

    Scheduled Pinned Locked Moved NAT
    23 Posts 6 Posters 7.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vononka
      last edited by

      hello everybody,

      I'm new to the forum and also new to pfSense.
      I have 3 different network I notes Site A, Site B and Site C which is 2 Site A and B are under my responsibilities are connected using IPSec in pfSense (A (192.168.1.0/24 and B 192.168 .10.0/24.) Then I was given a configuration to communicate with Site C whose range is 192.168.1.0/24.
      In short:

      (192.168.1.0/24) Site <======pfSense ======> Site B (192.168.10.0/24) and site B <=== SSL VPN =====> Site C (192.168.1.0/24).

      My question is if it is possible to establish a NAT before IPSec for communication from Site B to Site A since I have no hands on the firewall of the Site C.
      It is noted that the Site A and C have the same address range (192.168.1.0/24) and are unable to change.
      Do you have any documents or ideas?

      vononka

      1 Reply Last reply Reply Quote 0
      • T
        timthetortoise
        last edited by

        There's plenty of stuff to read if you Google the scenario. However, your best bet would be to change the range of the network you do have access to. You're going to run in to a whole lot of problems otherwise (for example, are you trying to talk to 192.168.1.5 on your local network or the remote site?).

        1 Reply Last reply Reply Quote 0
        • M
          MikeX
          last edited by

          The easiest way to do this would be having Site C's admin NAT hit network through the SSL tunnel. That way both of your sites can point to the arbitrary address space you decide on.

          The best way is to redesign your network, and get off of the 192.168.0.0 space all together, especially 192.168.1.0/24…. Everyone and their mother uses that /24 network.

          Try to move to something in the 10.0.0.0/8 space... Lots of room there.

          1 Reply Last reply Reply Quote 0
          • V
            vononka
            last edited by

            I'm googling a have to try a many many tutorial.So, have you a documentation to config how to NAT entire subnet and how to nat before IPSec in pfSense?

            Thanks

            1 Reply Last reply Reply Quote 0
            • dotdashD
              dotdash
              last edited by

              In 2.1, It's just a field in the phase2. You should be able to nat the connection from B to A easily.
              eg-
              site C phase2
              local net 192.168.1.0/24
              nat net 10.10.10.0/24
              remote net 192.168.10.0/24

              site B phase2
              local net 192.168.10.0/24
              remote net 10.10.10.0/24

              1 Reply Last reply Reply Quote 0
              • V
                vononka
                last edited by

                Happy new years.

                Thanks for your reply.

                Site C is not a pfSense box and I've not access to this.
                So, how can I configure the site A (pfSense v.2.1) and B (pfSense v 2.1) phase 2 in the IPSec configuration and how to nat the subnet 192.168.1.0/24 to 10.10.1.0/24 for example?

                Please, help me.

                Thanks a lot

                1 Reply Last reply Reply Quote 0
                • V
                  vononka
                  last edited by

                  Hello,

                  I just succeed configuring NAT before IPSec.
                  I can send you my setup if you want.
                  ;)

                  Vononka

                  1 Reply Last reply Reply Quote 0
                  • dotdashD
                    dotdash
                    last edited by

                    I mislabeled site A as C in that explanation. Sorry. I guess you figured it out anyway.

                    1 Reply Last reply Reply Quote 0
                    • T
                      tleiras
                      last edited by

                      HiVononka,

                      I have the same problem im my office. Site A and site B have the same network address. Could you help me sending your configuration. I'm using 2.1 pfsense release.

                      Thanks in advance.

                      Thiago Leiras

                      1 Reply Last reply Reply Quote 0
                      • V
                        vononka
                        last edited by

                        Hi,

                        1 - Create a virtual IP address on both firewall (192.168.1.0 for 10.10.1.0/24 and 10.10.10.0/24 to 192.168.10.0/24)
                        2 - Go to VPN> IPsec menu. After you have configured phase 1, create the negotiation phase2.
                        3- Restart racoon
                        4 - insert a route on the pc (eg route add-net 10.10.10.0/24 gw YOUR_GW)

                        Vononka

                        virtual-IP_A.jpg
                        virtual-IP_A.jpg_thumb
                        virtual-IP-siteB.jpg
                        virtual-IP-siteB.jpg_thumb
                        phase2-siteA.jpg
                        phase2-siteA.jpg_thumb
                        phase2-siteB.jpg
                        phase2-siteB.jpg_thumb

                        1 Reply Last reply Reply Quote 0
                        • T
                          tleiras
                          last edited by

                          Thanks a Lot.

                          I'll try this configuration.

                          Thanks.

                          Thiago Leiras

                          1 Reply Last reply Reply Quote 0
                          • T
                            tleiras
                            last edited by

                            Hi Vononka,

                            Did you have to set 1:1 or Outbound Nat configuration?

                            When you send a package from Site A to Site B, what is the src ip when this package arrive at site B host?

                            I'm sorry for my english.

                            Thiago Leiras

                            1 Reply Last reply Reply Quote 0
                            • V
                              vononka
                              last edited by

                              Hi,
                              No, but the subnet  192.168.1.0/24 is nated to 10.10.1.0/24 and 192.168.10.0/24 in 10.10.10/24.
                              the virtual IP and the subnet must have the same netmask.

                              Vononka

                              1 Reply Last reply Reply Quote 0
                              • T
                                tleiras
                                last edited by

                                Thanks a lot.
                                I'll try this configuration today. After all I'll send news.

                                Thanks.

                                Thiago Leiras

                                1 Reply Last reply Reply Quote 0
                                • T
                                  tleiras
                                  last edited by

                                  Hi,

                                  I've tried setup configuration as sugested, but this didn't work  :'(.

                                  My B side is a ipcop firewall and I tried establish vpn connection with site A using as remote address 172.16.24.0/24. On A site I configured Local Network wih 192.168.1.0/24 and Nat/BitNat with 172.16.24.0/24.

                                  On B site, the vpn status is Ok, but on PfSense (Site A) the VPN connection is down, although there are logs registering connection established.

                                  I'm attaching my actual configuration and log files on both sites. Does anyone has any idea why my Site A (192.168.1.0) package does not arrive at site B (10.1.1.0) with 172.168.24.0 address?

                                  Thanks a lot for help me.

                                  SiteAConfigThiago.png
                                  SiteAConfigThiago.png_thumb
                                  SiteBConfigThiago.png
                                  SiteBConfigThiago.png_thumb

                                  Thiago Leiras

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tleiras
                                    last edited by

                                    What about your configuration between Site A and Site C? Did you establish connection?
                                    In your original post you described that site A and Site C have the same CIDR. In this case did you have to Nat your Site A address to arive in site C with other network address?

                                    I'm sorry for the inconvenience.

                                    Thiago Leiras

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      tleiras
                                      last edited by

                                      Hello,

                                      I succeed establish NAT before IPSec on Both sides.

                                      I think the problem is with IPCOP. When I configure IPSEC VPN between 2 pfsenses (Site A 2.1 and site B 2.0.3), vpn works fine and all packages sent by site A arrives at Site B with 172.16.24.0 address. I'll check IPCOP documentation.

                                      Thanks everyone for help me.

                                      Thiago Leiras

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        tleiras
                                        last edited by

                                        Hello,

                                        I succeed establish NAT before IPSec on Both sides without problem.  :D

                                        The problem was on my IPCOP on Site B. My firewall established connection on SonicWall using Nat Over Ipsec.

                                        Thanks everyone for help me.

                                        Thiago Leiras

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          shadokin
                                          last edited by

                                          On your VIP you create, I assume you used a Localhost IP Alias?

                                          1 Reply Last reply Reply Quote 0
                                          • dotdashD
                                            dotdash
                                            last edited by

                                            You shouldn't need to create VIPs or routes. You can set the NAT network directly in your phase2.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.