Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec "Gateway"

    IPsec
    2
    4
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ronenb75
      last edited by

      Hi guys,

      I have running pfSense with single WAN and 2 LANs: a.a.a.a.a/17 and c.c.c.72/24
      There are two IPSec tunnels established:

      1\. endpoint A and B --> mapping a.a.a.a/17 <---> b.b.b.b/9
      2\. endpoint C and D --> mapping c.c.c.72/32 <---> d.d.d.d/24
      

      Tunnel 1 is working with no problem and machines on a.a.a.a/24 can access machines on b.b.b.b/9 with no problem.

      Tunnel 2 is complicated; because on security issues, endpoint D will allow packets (and policy) just form specific IP (c.c.c.72/32), but I want to allow any machine on c.c.c.c/24 to access machines on d.d.d.d/24.
      If I'm trying from the pfSense (which is the c.c.c.72/24) I CAN access d.d.d.d/24

      But…. I don't know how to make pfSense do "masquerade" for packets that are coming for OPT1 (c.c.c.72/24) and than redirect them into the tunnel.
      I tried Manual Outbound NAT with no success and I tried static route and some more tries….

      Can someone help me with the last bit of making it work?

      Thanx.

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        You can restrict access by using firewallrules at firewall>rules, ipsec tab. Just use the real subnet at the endpoint which has the /32 subnet currently.

        1 Reply Last reply Reply Quote 0
        • R
          ronenb75
          last edited by

          Hi hoba,

          Thanks for that.

          It's not what I meant…. I meant that I need kind of NAT'ing from subnet c.c.c.c/24 to look like every packet from this LAN subnet is actually coming from c.c.c.72/32. Meaning that pfSesne will do Outbound NAT on OPT1 and than will redirect that packet through the IPSec.
          But from reading posts on the forum (some are from you) - I got that it's not possible.

          I solved the issue in the meantime by setting the pfSense to c.c.c.254/24 and one of the machines inside has the c.c.c.72/24. If the need arise for more machines to access this specific tunnel, they will all use the .72 machine as gateway.

          Thanx again.

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            Natting through IPSEC iss not possible for versions up to 1.2. Maybe it will be possible for an upcoming version (I think ermal said theoretically it is possible but he has some other features that keep him busy currently, so don't take this as a promise).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.