IPSec "Gateway"

  • Hi guys,

    I have running pfSense with single WAN and 2 LANs: a.a.a.a.a/17 and c.c.c.72/24
    There are two IPSec tunnels established:

    1\. endpoint A and B --> mapping a.a.a.a/17 <---> b.b.b.b/9
    2\. endpoint C and D --> mapping c.c.c.72/32 <---> d.d.d.d/24

    Tunnel 1 is working with no problem and machines on a.a.a.a/24 can access machines on b.b.b.b/9 with no problem.

    Tunnel 2 is complicated; because on security issues, endpoint D will allow packets (and policy) just form specific IP (c.c.c.72/32), but I want to allow any machine on c.c.c.c/24 to access machines on d.d.d.d/24.
    If I'm trying from the pfSense (which is the c.c.c.72/24) I CAN access d.d.d.d/24

    But…. I don't know how to make pfSense do "masquerade" for packets that are coming for OPT1 (c.c.c.72/24) and than redirect them into the tunnel.
    I tried Manual Outbound NAT with no success and I tried static route and some more tries….

    Can someone help me with the last bit of making it work?


  • You can restrict access by using firewallrules at firewall>rules, ipsec tab. Just use the real subnet at the endpoint which has the /32 subnet currently.

  • Hi hoba,

    Thanks for that.

    It's not what I meant…. I meant that I need kind of NAT'ing from subnet c.c.c.c/24 to look like every packet from this LAN subnet is actually coming from c.c.c.72/32. Meaning that pfSesne will do Outbound NAT on OPT1 and than will redirect that packet through the IPSec.
    But from reading posts on the forum (some are from you) - I got that it's not possible.

    I solved the issue in the meantime by setting the pfSense to c.c.c.254/24 and one of the machines inside has the c.c.c.72/24. If the need arise for more machines to access this specific tunnel, they will all use the .72 machine as gateway.

    Thanx again.

  • Natting through IPSEC iss not possible for versions up to 1.2. Maybe it will be possible for an upcoming version (I think ermal said theoretically it is possible but he has some other features that keep him busy currently, so don't take this as a promise).

Log in to reply