NAT over IPSEC VPN

[jjoseph]

Hello everyone.  Hope you are all having a good day today.  I need some help with an issue I am trying to get going.  I have a requirement to setup an IPSEC VPN (site to site) and do NAT'ing across from the remote site to the main site.  We are going to have a lot of VPNs coming into the main site, and we need to NAT the remote sites traffic coming in. 
In my example here, I have a remote site with a 192.168.10.0/24 network, and I need to NAT that traffic to be 172.16.10.0/24 as it leaves the OPNsense box and goes across the VPN to the main site.  I have tried several things, but can not seem to get this to work.  Any help would be appreciated on how to do this. 

[atom]

Hi,

have you seen the documentation on this yet ?
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html

Regards,
atom

[jjoseph]

Thank you for that link.  I did try that,  and it did not work for me. After I configured that very thing, I did a tracert and it appeared to go out to the internet instead of across the VPN, seeing that the first hop was the internal ip of the opnsense box and the second was the public ip next hop from the firewall. Is there anything else that has to be configured with this?

[atom]

Is 172.16.10.0/24 your transfer network ? What is the third network ?

[jjoseph]

172.16.10.0/24 is the "NAT to" address range. Where 192.168.10.0/24 is the "to be NATed" address range. The main site is 192.168.1.0/24.

[mimugmail]

So, client with 192.168.10 wants to reach .1 and source should be natted to 172?

Then you need a Phase 2 for 172 to 192.168.1, add 192.168.10.0/24 to SPD in P2 and an outbound nat, interface ipsec, source 192.168.1, destination. 10., translated 172.x

[jjoseph]

I'll give that a try.  Thank you.