4. IPSec BINAT different subnets

IPSec BINAT different subnets

  • A

    Hello,

    I'm trying to establish a IPSec tunnel with a vendor on pfSense 2.1.5-RELEASE. VPN and network details I'm using are available below. IP addresses were hidden.
    What is specific to this connection is that I were given a /28 network to be my source net. If I understand this correctly, I need setup a NAT/BINAT in my Phase 2 (second Local Net field). The issue here is that my LAN is /24 and the network to which it supposed to be NATted is /28.

    I read here ( https://doc.pfsense.org/index.php/NAT_with_IPsec_Phase_2_Networks ) that "NAT+IPsec cannot be configured between two differently sizes subnets (such as a /24 to a /27). "
    I tried setting this up, as soon as I adjust the Phase2  NAT/BINAT (second Local Net field) to the 10.y.y.80/28 network I'm getting an error

    binat source mask and redirect mask must be the same

    Is there any way to get around this?

    Please correct me if I'm wrong somewhere here.

    VPN settings:
    Phase1: AES-128, SHA1 Group2 1024 bit IKE 1440 minutes
    Phase2: AES-128, SHA1 Group2 1024 bit IPSEC 3600 seconds
    Perfect Forward Secrecy not used.
    Aggressive mode not used.

    Gateway: 161.x.x.x   
    Source subnet is 10.y.y.80/28

    The remote firewall uses the following destination nats:
    rule for ports 1433 and 1434 to the following destinations:
    10.z.z.221 NAT to 161.v.v.221
    10.z.z.245 NAT to 161.v.v.222

    Please advise if there is a way to set this up on pfSense. I'm not sure if the vendor can change source mask for me.

    0
  • C

    It's not possible to translate to different size subnet, as it does a 1:1 NAT automatically in the background which requires a matching subnet.

    In 2.2, it's possible to use differing subnet sizes, but no NAT rules are automatically added in that circumstance so you have to manually configure your outbound NAT accordingly.

    0
  • O

    I have the same problem. I haved stablished the tunnel, and from pfsense the ping return.

    I have presented a different network to mine. but not how to do NAT. Can you give an example? Please

    example my configuration Phase 2
    Local network (UP) 192.168.1.2/32
    local network nat (down) 10.0.0.2/32
    remote network 10.22.0.0/20

    Thanks,

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy