IPSec NAT 4 Local Subnets into provider's /22 block



  • Dear Forum,

    Found out that IKEv2 does not work with a Cisco ASA and pfSense when using 4 SAs. Only 1 is allowed. Is this still possible with a NAT trick? Can we NAT 4 local subnets 10.1.10.10/24,10.1.10.20/24,10.1.10.110.110/24, and 10.1.10.120/24 into 10.41.38.0/22 at the providers end?  The Cisco ASA provider only allows us to connect as 10.41.38.0/22 using NAT.

    Thanks,

    Alfredo,



  • Anybody?



  • Your CIDR notations for local subnets have some typos in them.  I think the gist is you want 4 local subnets to access a network 10.41.38.0/22 on the remote end since you were going for multiple phase 2.

    Did you ever consider GRE over IPsec?  It more or less makes this a routing problem than a multiple SA problem and gives you the ability to adjust MTU per GRE interface/tunnel versus for all IPsec traffic.

    I found a YouTube video that helped with the basis for my own configuration with pfSense and an HP router a while back maybe it'll help you too.  HP called the GRE interfaces tunnel interfaces, I think Cisco does as well:

    Youtube Video

    You'll be on your own for the corresponding Cisco config commands if you go this route.

    The only thing of note if you go this route is whenever you reboot pfSense, the GRE interfaces don't like to come up all the way.  You either have to disable/enable them from the web GUI or SSH to pfSense and issue the 'up' command to the interface.  Any workarounds posted on the forums that I've found to use boot time commands from add-on packages didn't work for me.


Log in to reply