I'm looking for a bit of help in an IPsec implementation.
Big picture:
We're allowing some of our vendors & fulfillment houses to connect their
agents' workstations to our Oracle database via Site-to-site IPsec:
The Problem:
The IPsec tunnel is already configured, and works great except that it
(naturally) requires that ALL of our vendors (present and future) NOT be
using the 10.0.0.8 address, neither the 10./8 subnet nor the 10.0/16 subnet.
We don't want to require future vendors to renumerate their networks!
The Question:
Is there a way that we can do site-to-site tunneling BUT make OUR end of the
IPsec tunnel (the remote end to our vendors) be a public IP address on a /32
subnet rather than an address or subnet within our private network?
Naturally our public IP addresses are already globally unique, and routing
to one of our public addresses would eliminate present and future numeration
conflicts. The probem I'm struggling with is routing traffic from the
virtual IPsec interface to the internal database host on a 10.0/16 network
Naturally the normal NAT port forwarding rules do not apply to the virtual
IPsec interface, so it occurred to me to use 1:1 NAT to create the route
using a dedicated Virutal IP (a public IP address), but it appears that the
configurator does not offer the IPsec interface when configuring 1:1 NAT.
It also occurred to me that I might need to FIRST bridge the IPsec interface
to the WAN interface, (thereby enabling 1:1 NAT on the WAN interface) but
that also appears to be impossible, or perhaps just a really bad idea for
some reason that I'm not thinking of :-)
Is it even possible to do what I'm trying to do? Any help would be much
appreciated!
Thanks in advance!
-Karl
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
