Routing traffic through IPSec with NAT and IP Alias in pfSense

Question

I have a pfSense firewall and I need to connect to a remote site (form my client). I'm running into several issues, and don't see traffic flowing in any way.

Here's my setup:

LAN is 192.168.0.0/16
I have a WAN interface as the default gateway.
I have a WAN2 interface, that I'd like to use for the tunnel to the remote site.
The remote site is asking my to connect using local IPs of 172.27.10.0/24, as the won't be able to route my traffic otherwise. Their IP range (remote) is 10.100.0.0/16.

This is what I did already

Set up the IPSec tunnel. This works, and I can connect.
I created a Virtual IP (Firewall -> Virtual IPs) of type IP Alias, in the LAN interface with IP Addresses of 172.27.10.0/24.
I added routes in System -> Routing, so 10.100.0.0/16 goes through WAN2. Same for 172.27.10.0/24, I added a route for that traffic to go through WAN2.
On Firewall -> NAT, Outbount, I created a rule for WAN2, source 192.168.0.0/16, Destination 10.100.0.0/16 and Translation Address the IP Alias I created (172.27.10.0).

With all this setup, I can't connect to any remote address. Even more, I don't see the tunnel connecting, so I guess it's not getting the traffic it needs.

I'm also not seeing any useful information in the firewall log.

Am I doing things right? (or slightly close to right?).

score 1 · Accepted Answer · answered Jul 02 '13 at 05:22

1

You can't NAT like that, it hits IPsec before the NAT. You'll have to use 2.1 and its IPsec NAT capabilities in the phase 2. You can only map a /24 to a /24 so you won't be able to map your entire internal /16 to that /24, only a /24 out of the /16.

answered Jul 02 '13 at 05:22

Chris Buechler

2,998
14
18

Thank you. I'll updated pfSense and post a comment if it works. – pgb Jul 02 '13 at 13:06

Routing traffic through IPSec with NAT and IP Alias in pfSense

1 Answers1

Linked