Questions about doing NAT within an IPSEC VPN

  • Hi there, I have been working a lot with pfSense and I have to say, Wow… Amazing platform. I am having some issues and have a few questions I'd like to throw out there. I currently have a large Linux based firewall setup (in excess of 100 units) that I'm interested in using pfSense, but I've hit a few snags related to some custom stuff I do. OK, here is the deal:

    1. I use Red Hat Linux right now with Freeswan IPSEC with KLIPS. Because of this I actually have an ipsec0 interface tied to my WAN. Now with Netfilter, I've setup NAT within the VPNs to masquerade the internal network because both sides use the same network block. It works great, but I want something with a nice Web Interface that I need to hack and write myself. :) This is the first issue.

    2. In some circumstances I have had to create Point to Subnet Connections with Freeswan. ---- [ Firewall ] –--------------- [ Firewall ] –--

    Now with an IPSEC connection in this scenario, the second firewall is actually a Sonicwall running Enhanced OS. It has an OPT interface which I need to bring back to the main site, but since it already has an SA to that network range (the 1.0/24 translated), I have to setup a connection from the external of the firewall to the 3.0/24 and performance standard masquerading on anything to the 3.0/24 block.

    I'm just curious what everyone thinks about this. If this is a new feature, I'll gladly put in a feature request with a money contribution. Think about the value of this though? You can now compete with major firewall players, and you've eliminated the problems with overlapping subnets.



  • Sorry about the poll… Not used to these forums. :)

  • Put the feature request.
    It is doable just has to be integrated in the GUI.

  • Hello!

    Bringing an old thread back to live :-). Is there a way to do this until the GUI-feature may be available? Editing a conf. or so?

    I'm in great need of this feature.


  • Reply to myself…

    Some more info on the subject.

    This is what I would like to do, but in pfSense. Doable?

    and the answer in this case:

Log in to reply