Not sure with IPSEC - there is a BINAT option which I think may do the job but I personally use OpenVPN for this sort of thing.
I have at least six customers with 192.168.0/24 LANs and wont budge but I need to monitor their gear. Each one is mapped to 192.168.0.z -> 10.n.y.z/24, where n is constant, y is customer specific and z is the system, so 192.168.0.10 -> 10.13.5.10 for the fifth customer. I can spell it all out if you like. I probably ought to write it up on the wiki if there isn't one already. Cheers Jon On Fri, 2017-08-11 at 13:03 -0500, Adam Thompson wrote: > Any ideas how I install an IPSec tunnel to a remote subnet that > overlaps with a local subnet while not completely killing the local > subnet? > > > > This isn’t _quite_ as insane as it sounds at first glance: > > The SPD (i.e. Phase 2) selectors on my side are from a single /32 > IPv4 address on the LAN that needs to monitor half a dozen servers on > three subnets in a foreign network. And one of those subnets > overlaps with a locally-connected subnet. > > Despite the /32 selector, it appears that all traffic through pfSense > destined for (in this case) 192.168.100.0/24 is getting routed down > the tunnel instead of out the connected interface. > > > > The kernel routing table still looks correct (i.e. 192.168.100.0/24 > via link#2 netif igb0) but packets from other subnets no longer > arrive. > > I vaguely recall that IPSec in FreeBSD 10 doesn’t actually happen at > the kernel routing table level, it’s somehow bolted on to the > if_input/if_output code path (or something kinda like that). > > > > So what *appears* to have happened is that my IPSec tunnel from > 192.168.158.11/32 to 192.168.100.0/24 is diverting *all* traffic from > 192.168.158.0/24 to 192.168.100.24/0. I guess I’m not terribly > surprised, but I wasn’t expecting that to happen when I had set a > very narrow selector for the local end. (It’s perfectly OK if > 192.168.158.11 can’t talk to the *local* 192.168.100.0 subnet.) > > > > Is this a bug in FreeBSD’s IPSec implementation, or is this expected > behaviour? > > > > Is there a way to accomplish what I want? (That being that I have an > IPSec tunnel to a remote subnet that overlaps a local subnet, with > both being reachable and reachability being controlled by policy > somehow.) > > > > I know on certain other firewalls where IPSec tunnels appear as > virtual interfaces, I can use policy routing to accomplish my goal, > but I don’t know of any way to do that with pfSense. > > > > Thanks, > > -Adam > > > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
