IPsec with NAT setup help

[penguin44]

Hi,

Hope someone has gone through this and found a solution. I have spent days going over my configurations and referencing this forum and other sites trying to find a workable solution for the IPsec with NAT setup.

I've got Phase 1 working. Phase 2 and correct Outbound or 1:1 NAT is where I'm stuck.

My setup:

I have a 192.168.20.0/24

Partner remote network is  172.83.125.0/26

Because of overlapping network on the partner side, we agreed on a translated network between our sites.

My fake (translated network) is : 172.30.217.193/28


Because the fake translated network is /28, and I can't map my real network ( 192.168.20.0/24) to it 1:1.
I will need to create another subnet of my real network to create a slash 28.

For that, I created 192.168.20.0/28

My plan is to route 192.168.20.0/28 to the partner remote network (172.81.125.0/26), should be natted to 172.30.217.193/28


I have this identical setup on my Zywall router and it works. Just trying to move from my current router to OPNsense.

This is how it's setup on Zywall:

https://support.zyxel.eu/hc/en-us/articles/360001378633-How-to-setup-SNAT-in-a-VPN-tunnel

Hope i can find some help here.

Thanks,

~Richard

[mimugmail]

What is the flow in the VPN? Does only your hosts initiiate connections to peer site? Then you don't need to map and slice your network. You can also nat your network to one IP of your site.

Also don't forget to put your real network in SPD line in phase2

[penguin44]

Got this working. Straightforward one-to-one NAT.

Thanks,
Richard