Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec BINAT different subnets

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Arci
      last edited by

      Hello,

      I'm trying to establish a IPSec tunnel with a vendor on pfSense 2.1.5-RELEASE. VPN and network details I'm using are available below. IP addresses were hidden.
      What is specific to this connection is that I were given a /28 network to be my source net. If I understand this correctly, I need setup a NAT/BINAT in my Phase 2 (second Local Net field). The issue here is that my LAN is /24 and the network to which it supposed to be NATted is /28.

      I read here ( https://doc.pfsense.org/index.php/NAT_with_IPsec_Phase_2_Networks ) that "NAT+IPsec cannot be configured between two differently sizes subnets (such as a /24 to a /27). "
      I tried setting this up, as soon as I adjust the Phase2  NAT/BINAT (second Local Net field) to the 10.y.y.80/28 network I'm getting an error

      binat source mask and redirect mask must be the same

      Is there any way to get around this?

      Please correct me if I'm wrong somewhere here.

      VPN settings:
      Phase1: AES-128, SHA1 Group2 1024 bit IKE 1440 minutes
      Phase2: AES-128, SHA1 Group2 1024 bit IPSEC 3600 seconds
      Perfect Forward Secrecy not used.
      Aggressive mode not used.

      Gateway: 161.x.x.x   
      Source subnet is 10.y.y.80/28

      The remote firewall uses the following destination nats:
      rule for ports 1433 and 1434 to the following destinations:
      10.z.z.221 NAT to 161.v.v.221
      10.z.z.245 NAT to 161.v.v.222

      Please advise if there is a way to set this up on pfSense. I'm not sure if the vendor can change source mask for me.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        It's not possible to translate to different size subnet, as it does a 1:1 NAT automatically in the background which requires a matching subnet.

        In 2.2, it's possible to use differing subnet sizes, but no NAT rules are automatically added in that circumstance so you have to manually configure your outbound NAT accordingly.

        1 Reply Last reply Reply Quote 0
        • O
          odric
          last edited by

          I have the same problem. I haved stablished the tunnel, and from pfsense the ping return.

          I have presented a different network to mine. but not how to do NAT. Can you give an example? Please

          example my configuration Phase 2
          Local network (UP) 192.168.1.2/32
          local network nat (down) 10.0.0.2/32
          remote network 10.22.0.0/20

          Thanks,

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.