Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Chaining VPNs using Phase2 NAT

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 886 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JamesJohnson
      last edited by

      Good afternoon,

      I'm about to attempt sharing connectivity of a service that's provided to us from a 3rd party to our HQ to our remote offices.
      We have tunnels to our HQ from each location and the VPN to our external service uses Phase 2 NATing

      I'm not sure about the best way to do this.

      I'm thinking that I could extend the local subnet range in the phase 2 config of IPSEC5 to include all the subnets.
      However… the remotes are 192's whereas HQ's are 10's, so that would be one massive range.

      Am I able to NAT traffic from the remote sites to a reserved IP within the 10 range (at the HQ) and set static routes (at the remote sites) making it look like they are part of the HQ network ?

      RemoteOffice1 <=IPSEC1=> HQ <=IPSEC5/Phase2NAT=> ExternalService
      RemoteOffice2 <=IPSEC2=> HQ <=IPSEC5/Phase2NAT=> ExternalService
      RemoteOffice3 <=IPSEC3=> HQ <=IPSEC5/Phase2NAT=> ExternalService

      I'm not sure... any suggestions would be appreciated.

      Thanks

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        https://forum.pfsense.org/index.php?topic=86973.0

        1 Reply Last reply Reply Quote 0
        • J
          JamesJohnson
          last edited by

          Unfortunately I don't have access to the VPN for the external source (so creating additional phase 2 tunnels isn't possible).
          I could put in a change request but that leads to a game of Chinese whispers, wrong departments, not allowed to speak direct and then eventually get it resolved 6 months later.

          The VPN to the external service already has Phase 2 NATing so our local subnets appear as a different range to them.

          If all of the remote sites were on 10 ranges then I could just extend the the local subnet on our endpoint of the external service vpn and set routes for the remote offices. (Unless IPSec wouldn't support it)

          1 Reply Last reply Reply Quote 0
          • J
            JamesJohnson
            last edited by

            O o o…. Would this work ?

            Using just one site as an example
            If I extend the local subnet range of IPSEC5/Phase2NAT to include the NAT'd range of IPSEC2/Phase2NAT whilst making an additional tunnel for the remote site.

            Something like...

            RemoteOffice1 <=IPSEC1=> HQ <=IPSEC5/Phase2NAT=> ExternalService
            RemoteOffice1 <=IPSEC2/Phase2NAT=> HQ <=IPSEC5/Phase2NAT=> ExternalService

            Thanks

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.