NAT before IPsec VPN
I thought we already had a feature ticket open for IPsec+NAT in general but doesn't appear so.
#1 Updated by Michele Di Maria about 9 years ago
Thanks to FreeBSD 9 it should be now possible to NAT before the VPN in order to solve network overlapping.
Here http://www.undeadly.org/cgi?action=article&sid=20090127205841 there's an example where this feature has been implemented. According to the "Deconflicting networks example" it should be now possible to nat an entire network to a new one before the VPN encodes the traffic for the remote network.
If this works, it should be possible to add an option "Nat as" in the IPSec Phase 2 form where is asked the network (or the single ip address in case of outgoing nat).
#4 Updated by Ermal Luçi about 9 years ago
Just to synchronize the answer
#8 Updated by Michele Di Maria over 7 years ago
Hi, sorry for this later testing.
I have figured out how to test it without upgrading to 2.1 in my production environment, and I am using two pfSense (Office 2.0.2 and Home 2.1).
The first phase 2 (Local LAN to Remote LAN) has no problems.
The second phase 2 (Local LAN to Remote DMZ) on the remote side of the VPN (the Office) gets up with no problems.
On the local box, on SPD I see:
10.0.3.0/24 192.168.28.0/24 >> (correct)
192.168.22.0/24 10.0.3.0/24 << (not correct, the 192.168.22.0 should be translated to 192.168.28.0/24 according to the "In case you need NAT/..." setting for this phase2.
Am I mistaking something or there is something else I should add?