# IPSEC and NAT



## banforce (Feb 23, 2015)

Hello,

Firstly I would like to describe my actual network configuration:

`uname -a`

```
FreeBSD router 10.1-RELEASE-p5 FreeBSD 10.1-RELEASE-p5 #3: Sat Feb  7 11:33:51 CET 2015  root@router:/usr/obj/usr/src/sys/CWROUTER  amd64
```

extra options compiled into kernel:

```
options  ALTQ
options  ALTQ_CBQ  # Class Bases Queuing (CBQ)
options  ALTQ_RED  # Random Early Detection (RED)
options  ALTQ_RIO  # RED In/Out
options  ALTQ_HFSC  # Hierarchical Packet Scheduler (HFSC)
options  ALTQ_PRIQ  # Priority Queuing (PRIQ)
options  ALTQ_NOPCC  # Required for SMP build
options  IPSEC
options  IPSEC_FILTERTUNNEL
options  IPSEC_NAT_T
options  MROUTING
device  enc
device  crypto
```

My LAN addresses:

vlan1 192.168.1.0/24
vlan2 192.168.2.0/24
vlan3 192.168.3.0/24
vlan4 192.168.4.0/24
vlan5 192.168.5.0/24
...
Sometimes I'm creating new vlans to separate traffic if it's needed.

router always has IP ending with .1

We are connected to ours partners or clients to their networks over IPSEC. In most cases we don't have admin access to router on the other side of connection.

Main problem:
Sometimes I need to give access to device which is in vlan that is not configured for IPSEC. I don't want to reconfigure IPSEC connection only to give access to some remote IP for 30 minutes. So solution should be NAT from unconfigured class to remote site (example 10.0.0.0/24.

Let's say vlan5 is freshly added and not configured to have access to remote site only vlan1 has access to remote site. How to build NAT to make it works:

My idea was

```
nat on enc0 inet from 192.168.5.0/24 to 10.0.0.0/24 -> (vlan1:0)
```
but it doesn't work.

Any other ideas how to solve this problem?

Kind regards,


----------

