1
19.7 Legacy Series / [Question] IPsec tunnel with multiple networks NATed
« on: August 15, 2019, 11:43:42 am »
I'm trying to set up an IPsec connection between two sites.
To be flexible and avoid any current or potential future IP range overlappings I wand to "NAT away" some networks of one (or both) sides of the tunnel.
To make it a bit more complex, I want to be able to NAT only some of the devices in certain networks, not the network as a whole. This gives the maximum flexibility as some of our clients can't or don't want to reserve a network of equal size as we use and they only need access to certain devices/computers.
I.e. it's probably not necessary for them to access the database server, the web servers are enough.
Here's an example:
How can this "NAT magic" happen? Can I do this on the OPNsense, where the IPsec tunnel is configured or do I need a second device for that?
Can I configure a "routed IPsec tunnel" (2nd phase) and define some NAT there on the Site A side?
I tried that, The tunnel is up and working, but the NAT is not.
Thanks for any hint!
To be flexible and avoid any current or potential future IP range overlappings I wand to "NAT away" some networks of one (or both) sides of the tunnel.
To make it a bit more complex, I want to be able to NAT only some of the devices in certain networks, not the network as a whole. This gives the maximum flexibility as some of our clients can't or don't want to reserve a network of equal size as we use and they only need access to certain devices/computers.
I.e. it's probably not necessary for them to access the database server, the web servers are enough.
Here's an example:
How can this "NAT magic" happen? Can I do this on the OPNsense, where the IPsec tunnel is configured or do I need a second device for that?
Can I configure a "routed IPsec tunnel" (2nd phase) and define some NAT there on the Site A side?
I tried that, The tunnel is up and working, but the NAT is not.
Thanks for any hint!