2.3 IPSEC with public network as P2 Remote Network: ok from router, not from LAN

  • Bonjour, hello,

    I have some "Simple" IPv4 tunnels (IKEv1) to customers here, 3 are already running.  Our LAN:, WAN IP address 80.254.x.y.

    Already working tunnels are having a Phase 2 setup similar to:

    • Local network: LAN Subnet - NAT/BINAT:  Type Network, Address
    • Remote Network:  Type Network , Address

    I now have to add a new tunnel, but this time and for the first time the Remote Network Address is using public IP ranges.  Current phase 2 setup:

    • Local Network:  WAN Subnet - no NAT/BINAT
    • Remote Network:  Type Network, Address 159.16x.y.z/30

    IPSEC connection status for Phase 1 and Phase 2 are fine, everything works as planed when testing from the router itself (when connected via ssh to the pfsense system, I can ping one remote target IP as 159.16x.y.7).  But the only issue is that I cannot access the target range 159.16x.y.z/30 from our LAN (

    I tried changing the phase 2 settings, but with anything else the tunnel will not work.    And if I set "LAN subnet" as NAT/BINAT network, it seems to be ignored and will not be saved.
    I also thought about adding a static route, but it's not possible to select a tunnel as a gateway.
    So how could I route these packets to 159.16x.y.z/30 over the tunnel instead as directly over our gateway ?

    Any hint would be very welcome as I am not very experienced with ipsec topics.  Merci & kind regards, Olivier

  • I just updated our router to 2.3.1, and everything remained the same (which was to be expected).
    I tried a few other things, but no luck yet, even when using our WAN IP as /32 network under "Local Network:"  it doesn't work anymore, only when "Local Network:  WAN Subnet " is set I can access the remote servers, and only from the router's shell.

    I guess some more research is needed…  In the mean time, please do not hesitate to give any input or suggestion, thanks !

  • No solution found yet, I will request a private range and try again.      But I'd still be happy to know if there is another way to solve this :)

  • That's the expected result, your LAN hosts aren't sourcing traffic on your public IPs, and you don't have NAT defined in the P2. Just need NAT in the P2 for that to work.

  • Oh great, an answer ! Thanks for your time cmb.

    "Just need NAT in the P2" is definitely what I'd like to get, but setting "LAN subnet" under "NAT/BINNAT translation" does not have any effect (gets saved, but if I edit the entry again the field is empty : cf. screenshot).

    Is this a GUI-issue, or is there another way to achieve this?

  • Spent some more time on the forum & searching…    "Static routes are not possible with IPSEC" came up a few times, but I still hope there is a way.

    I just miss my IPSEC remote gateways under System / Routing / Static Routes / Edit, or should I try with as Gateway ?  I can't try it now (working remotely and no way to fix things if it brings everything offline), but if it is the way to go, I could give it a try tomorrow.

    ![Capture d’écran 2016-07-04 à 22.09.02.png](/public/imported_attachments/1/Capture d’écran 2016-07-04 à 22.09.02.png)
    ![Capture d’écran 2016-07-04 à 22.09.02.png_thumb](/public/imported_attachments/1/Capture d’écran 2016-07-04 à 22.09.02.png_thumb)

  • As a final followup, remote party updated their setup to let us use NAT translation like we usually do, and it's now working fine with:

    • Local Network:  LAN Subnet
    • NAT/BINAT Translation: Network  192.168.18x.0/24
    • Remote Network: 10.22x.0.0/16

    It would still be interesting to know if and how it would have been possible to solve the initial issue (public network as target), but at least case is closed for now.
    Kind regards

  • Hi Swix,

    Thought i'd post as i was doing the exact same thing. I got mine working so it can happen.

    Not sure on your setup we have a routed subnet going to dual pfsense with CARP.

    For the purposes of below we are using the following, also note we are not using NAT at all.

    Public /29 P1.x.x.x (CARP P1.x.x.3
    Routed Subnet to above P2.x.x.x /25

    Example IP on a server would be P2.1.1.1

    The tunnel would look like below.

    Phase 1 - Peer ID = CARP IP P1.x.x.3
    Phase 2 - Local = P2.1.1.1/32
    Phase 2 - Remote network =

    Remote site would be configured as below

    Phase 1 - remote gateway = P1.x.x.3
    Phase 2 - Local =
    Phase 2 - Remote network = P2.1.1.1/32

    So we have the entire /24 subnet able to connect to the public IP via the VPN.