Routing between pfSense Subnets and IPSec VPN

Question

I have a pfSense Router, which is the endpoint of a site-to-site IPSec VPN. In the pfSense the main LAN Interface is 10.0.2.1/24 and it has a virtual IP 10.0.125.1/24
The IPSec Phase 2 connects the 10.172.0.0/16 (from the other side) to the 10.0.125.1/24 network.
Now I want to connect to an ip from the other side, but from an ip in the 10.0.2.0/24 network

So the desired connection is 10.0.2.27 to 10.172.0.119
I tried to add the 10.0.125.1 as a gateway in the pfSense and route all traffic to the other network over it, when i did so i could ping the other side from the pfSense host but not from the 10.0.2.0/24 network.
I tried to add Outbound NAT, but that didn´t helped either.

What am I doing wrong?

Network

score 6 · Answer 1 · answered Jul 04 '15 at 05:29

6

Duplicate your existing P2 (click the + to the right of it), change local from 10.0.2.0/24, leaving same 10.172.0.0/16 remote. Do the same, flipping local and remote, on "other router." Then you'll be able to communicate between.

answered Jul 04 '15 at 05:29

Chris Buechler

2,998
14
18

Thanks for that, but the problem is that I don´t have access on the other side, so my question is if i can nat that traffic through the pfSense But outbound nat didn´t work (or i made it wrong) – W4rlock Jul 06 '15 at 05:40
If you only need egress traffic to that VPN, yes. Add another P2 only on your side, make the NAT subnet 10.0.2.0/24 and local 10.0.125.0/24 – Chris Buechler Jul 08 '15 at 23:38

score 2 · Accepted Answer · edited Jan 04 '17 at 16:25

2

It took me some time, but here is the answer: Edit the P2 in pfSense, set Local Network to: Network 10.0.2.0 /24 (the network where the clients actually reside) and set NAT/BINAT translation to: Network 10.0.125.0 /24

So the VPN tunnel will be established between the remote Network and 10.0.125.0 /24 but the clients from 10.0.2.0 /24 can connect and are nated via this option.

I only tested this if the connection is initalized from my side, I don´t know if the remote site can establish the connection

edited Jan 04 '17 at 16:25

BE77Y

2,667
3
18
23

answered Jan 04 '17 at 14:44

W4rlock

968
1
7
10

you really should have two phase2 entries, simplifies configuration, debugging, troubleshooting even if the functionality really were the same. – sjas May 23 '17 at 15:19

score 1 · Answer 3 · answered Apr 15 '17 at 18:08

1

You can have more than one P2. you should have two phase2 entries on both sides one per block.

answered Apr 15 '17 at 18:08

mike

19
1

2

Welcome to ServerFault. Did you read the other answers? – chicks Apr 15 '17 at 21:18

Routing between pfSense Subnets and IPSec VPN

3 Answers3