Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec BINAT different subnets

    IPsec
    3
    3
    1838
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Arci last edited by

      Hello,

      I'm trying to establish a IPSec tunnel with a vendor on pfSense 2.1.5-RELEASE. VPN and network details I'm using are available below. IP addresses were hidden.
      What is specific to this connection is that I were given a /28 network to be my source net. If I understand this correctly, I need setup a NAT/BINAT in my Phase 2 (second Local Net field). The issue here is that my LAN is /24 and the network to which it supposed to be NATted is /28.

      I read here ( https://doc.pfsense.org/index.php/NAT_with_IPsec_Phase_2_Networks ) that "NAT+IPsec cannot be configured between two differently sizes subnets (such as a /24 to a /27). "
      I tried setting this up, as soon as I adjust the Phase2  NAT/BINAT (second Local Net field) to the 10.y.y.80/28 network I'm getting an error

      binat source mask and redirect mask must be the same

      Is there any way to get around this?

      Please correct me if I'm wrong somewhere here.

      VPN settings:
      Phase1: AES-128, SHA1 Group2 1024 bit IKE 1440 minutes
      Phase2: AES-128, SHA1 Group2 1024 bit IPSEC 3600 seconds
      Perfect Forward Secrecy not used.
      Aggressive mode not used.

      Gateway: 161.x.x.x   
      Source subnet is 10.y.y.80/28

      The remote firewall uses the following destination nats:
      rule for ports 1433 and 1434 to the following destinations:
      10.z.z.221 NAT to 161.v.v.221
      10.z.z.245 NAT to 161.v.v.222

      Please advise if there is a way to set this up on pfSense. I'm not sure if the vendor can change source mask for me.

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        It's not possible to translate to different size subnet, as it does a 1:1 NAT automatically in the background which requires a matching subnet.

        In 2.2, it's possible to use differing subnet sizes, but no NAT rules are automatically added in that circumstance so you have to manually configure your outbound NAT accordingly.

        1 Reply Last reply Reply Quote 0
        • O
          odric last edited by

          I have the same problem. I haved stablished the tunnel, and from pfsense the ping return.

          I have presented a different network to mine. but not how to do NAT. Can you give an example? Please

          example my configuration Phase 2
          Local network (UP) 192.168.1.2/32
          local network nat (down) 10.0.0.2/32
          remote network 10.22.0.0/20

          Thanks,

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy