IPSec BINAT different subnets
Arci last edited by
I'm trying to establish a IPSec tunnel with a vendor on pfSense 2.1.5-RELEASE. VPN and network details I'm using are available below. IP addresses were hidden.
What is specific to this connection is that I were given a /28 network to be my source net. If I understand this correctly, I need setup a NAT/BINAT in my Phase 2 (second Local Net field). The issue here is that my LAN is /24 and the network to which it supposed to be NATted is /28.
I read here ( https://doc.pfsense.org/index.php/NAT_with_IPsec_Phase_2_Networks ) that "NAT+IPsec cannot be configured between two differently sizes subnets (such as a /24 to a /27). "
I tried setting this up, as soon as I adjust the Phase2 NAT/BINAT (second Local Net field) to the 10.y.y.80/28 network I'm getting an error
binat source mask and redirect mask must be the same
Is there any way to get around this?
Please correct me if I'm wrong somewhere here.
Phase1: AES-128, SHA1 Group2 1024 bit IKE 1440 minutes
Phase2: AES-128, SHA1 Group2 1024 bit IPSEC 3600 seconds
Perfect Forward Secrecy not used.
Aggressive mode not used.
Source subnet is 10.y.y.80/28
The remote firewall uses the following destination nats:
rule for ports 1433 and 1434 to the following destinations:
10.z.z.221 NAT to 161.v.v.221
10.z.z.245 NAT to 161.v.v.222
Please advise if there is a way to set this up on pfSense. I'm not sure if the vendor can change source mask for me.
cmb last edited by
It's not possible to translate to different size subnet, as it does a 1:1 NAT automatically in the background which requires a matching subnet.
In 2.2, it's possible to use differing subnet sizes, but no NAT rules are automatically added in that circumstance so you have to manually configure your outbound NAT accordingly.
odric last edited by
I have the same problem. I haved stablished the tunnel, and from pfsense the ping return.
I have presented a different network to mine. but not how to do NAT. Can you give an example? Please
example my configuration Phase 2
Local network (UP) 192.168.1.2/32
local network nat (down) 10.0.0.2/32
remote network 10.22.0.0/20