Hello dear community,
I have a specific question regarding the configuration of an IPSEC connection.
Background: I have a working IPSEC connection to a customer. The server VLAN (172.16.3.0/24) is directly connected to IKE Phase 2 and works perfectly (ping, etc. is possible). However, the client VLAN (192.168.0.0/24) cannot establish a connection over the IPSEC tunnel because the customer already uses this network locally.
Network Configuration:
Server VLAN: 172.16.3.0/24 (works over IPSEC)
Client VLAN: 192.168.0.0/24 (no connection possible)
IPSEC Network: 10.175.16.0/16
Goal: I want to make sure that clients from the 192.168.0.0/24 VLAN can use the server's IP (e.g., NAT masquerading) to route through the IPSEC connection.
What I've tried:
Changed the outbound NAT to "Hybrid."
Interface: IPSEC
Source: Client VLAN
Destination: IPSEC Network
Translation: Server VLAN
Tried NAT over the WAN interface (no success).
I have also configured firewall rules to allow Any/Any for testing (for both IPSEC and Client).
Problem: Despite the configuration, I cannot send or receive packets from the client VLAN through the IPSEC connection (e.g., pings do not work).
Question: How can I ensure that the clients in the 192.168.0.0/24 VLAN can communicate through the IPSEC connection using Outbound NAT? Am I missing something in the configuration or have I made an error in my thinking?
Cheers Simon
Why would a client in 192.168.0.0/24 on the client side ever route its traffic via the firewall? It has a direct connection to the subnet.
I think you need to either
- re-ip at least one of the 0.0 subnets
- go for a baroque setup where you NAT the far side to be out of subnet and have split DNS
- use an overlay network (Tailscale, Zerotier, etc.) and forget about IPSec
Bart...