Multiple IPSec Tunnel with same LAN - NAT possible?

JeGr · Jul 4, 2014, 6:00 AM

Morning everyone,

situation is this: Customer has a central IPsec site with Juniper SRX and wants to connect multiple small offices to this. As he has no control over the offices and they all have "default DSL lines with dumb routers" they are likely to often have the same local LAN like 192.168.0.x or .1.x.
Now he wants to ship small pfSense boxes out, that either replace the default router or are set up behind it (let the dumb device do PPPoE and forward everything to the pfSense behind).

Question is: can I easily rewrite the local addresses from the offices (192.168.x.x) via NAT on the IPsec Interface? Idea is to use an address of an uncritical segment like 10.234.5.x to outbound-NAT all offices, so the packages that arrive at the concentrator (Juniper) can be mapped to the corresponding IPSec Tunnels.

Backtraffic (central to branches) is NOT necessary. All that has to work is that the branches can access a defined server at central via their corresponding IPSec tunnels.

Is it as easy as define an outbound NAT on the IPsec interface? Or has the NAT address to be used (10.234.xy) be defined as a virtual IP somewhere so the packets coming back are accepted?

Thanks for giving it some thought,
Jens

jimp · Jul 7, 2014, 3:33 PM

NAT+IPsec works fine and is easy on pfSense 2.1 and later.

In the phase 2 settings, define the NAT network under the local Phase 2 network and that's all you need to do.

JeGr · Jul 8, 2014, 3:39 PM

Seems there are problems with the remote side (Juniper), as it is saying that SA is only one-way. The way back to the branches isn't recognized as it seems pfSense sends it with the NAT IP in it and Juniper VPN (as well as Cisco) isn't able to make use of that.

Any thoughts how to do that correctly? Is it possible to annouce the back route with local net but rewrite it with NAT nonetheless?

jimp · Jul 8, 2014, 5:15 PM

The only setting on pfSense is the NAT address entry. People have used many:1 (e.g. LAN/24 -> NAT/32 ) for connecting to other gear before, including large vendors and systems such as Verizon/AT&T for cell network backend connections.

If that doesn't work with the Juniper settings, there may be something else that needs set on the Juniper side. Otherwise, try using a /24 for the NAT address/network and not a many:1 type NAT setup.