Show Posts
1
General Discussion / Source NAT over ipsec VPN
« on: May 25, 2016, 04:58:12 pm »
I'm coming from a Cisco ASA (I'm a router jockey) and just built a new firewall to replace my aging asa 5510. I have a number of B2B VPN connections to different clients. I have one client whose inside network routing domain overlaps with my local routing domain. (He is on an ASA as well). I simply NAT my traffic to him to a network that doesn't overlap his.
Example - I am 10.10.100.0/24. He has local routes that go to other networks that contain 10.10.100.0/24, so I can't use that when I connect.
I do not need to reach his 10.10.100.0/24 network. Just his inside local network. With the ASA I simply nat to 172.25.x.x (in my case, I only nat 10.10.100.0/28 to 172.25.100.0/28). It's dead easy on an ASA, but I can't get this working on opnsense.
I've tried the one to one nat rule with the rule applied to ipsec.
I've tried the binat in the ipsec config. Nope..
I can get a tunnel up, but no traffic goes over the tunnel. (my local network set to 172.20.100.0/28 in the phase 2 config.
This should be easy. What am I missing here?
Thanks in advance.
Example - I am 10.10.100.0/24. He has local routes that go to other networks that contain 10.10.100.0/24, so I can't use that when I connect.
I do not need to reach his 10.10.100.0/24 network. Just his inside local network. With the ASA I simply nat to 172.25.x.x (in my case, I only nat 10.10.100.0/28 to 172.25.100.0/28). It's dead easy on an ASA, but I can't get this working on opnsense.
I've tried the one to one nat rule with the rule applied to ipsec.
I've tried the binat in the ipsec config. Nope..
I can get a tunnel up, but no traffic goes over the tunnel. (my local network set to 172.20.100.0/28 in the phase 2 config.
This should be easy. What am I missing here?
Thanks in advance.