NAT with IPsec Phase 2 Networks

pfSense® software supports for NAT on policy-based IPsec phase 2 entries to make the local network appear to the remote peer as a different subnet or address. This can be used to work around subnet conflicts or connect to vendors without renumbering a local network.

Warning

NAT is not currently compatible with route-based VTI IPsec tunnels without configuring an IPsec Filter Mode which is incompatible with tunnel-based IPsec. See Advanced IPsec Settings for details.

Configuration

NAT is configured by the NAT/BINAT Translation options on an IPsec phase 2 entry in tunnel mode, in combination with the Local Network settings.

Local Network:

Values of Type and Address specify the actual local network (e.g. LAN subnet).

NAT/BINAT Translation:

Values of Type and Address specify the translated network visible to the far side.

NAT Types

There are two main modes for NAT with IPsec:

Binat - 1:1 NAT:

When both the actual and translated local networks use the same subnet mask, the firewall will directly translate the networks to one another inbound and outbound. Can also be used for single addresses.

This allows remote host to directly contact local hosts using their equivalent NAT addresses, provided that IPsec rules allow the traffic to pass.

NAT - Overload/PAT Style:

If the Local Network is a subnet, but the NAT/BINAT Translation address is set to a single IP address, then a 1:many NAT (PAT) translation is set up that works like an outbound NAT rule on WAN. All outbound traffic will be translated from the local network to the single IP address in the NAT field.

Note

Inbound traffic from the remote network to individual local hosts is not possible in this mode.

Warning

NAT+IPsec cannot be configured between two different sized subnets (e.g. It cannot NAT a /24 subnet to a /27 subnet).

Example

Consider an IPsec tunnel to a Vendor which requires 172.16.5.0/24 for the network on this firewall. However, the LAN is actually 192.168.1.0/24, and renumbering is not feasible.

To accommodate this scenario, set the phase 2 values as follows:

Local Network:
Type:

Network

Address:

192.168.1.0/24

NAT/BINAT Translation:
Type:

Network

Address:

172.16.5.0/24

Firewall Rules

NAT is processed before firewall rules, so firewall rules on the IPsec tab refer to the network in Local Network.

Remote End Notes

The far side of the tunnel does not need any knowledge of the actual Local Network. Their tunnel is built between their local network and the NAT/BINAT Translation value.

Packet Capturing Quirk

In a packet capture, the Local Network addresses are shown on outbound traffic, not the translated address. This does not indicate any problem.