Packets are not NAT'ted and encrypted when sent over IPSec2 interface

Blade1024

Hi Guys,

We have a private, non-internet-connected setup where inbound packets from the WAN interface (we have a host on the WAN subnet from which I am testing) must be sent into the IPSec tunnel and NAT'd. The IPSec connection is established over the same WAN interface, and routes are populated through a BGP session that runs within this IPSec. We have a few other hosts that are connected to the gateway beyond the WAN interface, which should use this path. The test WAN host is probing the path for them. Now, what I see is:

1. NAT is being performed, and ESPs are not being sent out via the WAN interface matching the outgoing traffic if the NAT rule has the named IPSec interface that carries the BGP session (BGP sessions and pings to the other side of the tunnel are working fine). If I disable the NAT rule for this traffic, the ESPs are being sent out.
2. NAT is not being done, but ESPs are being sent out if I have IPSec (plain) specified in the NAT.

The desired scenario is when the WAN-originated traffic is being NAT'd. Does anyone have any idea why? The software version is a tad new - 25.03-BETA. The earlier one was crashing while attempting to push the NAT'd traffic via IPSec.

Responses appreciated,
Cheers

stephenw10

What sort of IPSec tunnel is this? How are you routing traffic from the WAN subnet via the tunnel?

If it's policy based you must NAT the traffic in P2 or it won't match.

Blade1024

@stephenw10

Hi, Yes, like this:

Host->WAN->NAT->IPsec

Just installed commercial authentic paid AWS image 24.11 and it crashed on the first NAT packet. Same issue as in the community. All it takes is one NAT invocation.

It is not a policy - it is an OPT interface with the BGP routing on top of it.

Regards

Blade1024

@stephenw10

Went into the latest 25.03BETA - still the same. ESP's are not generated for the NAT'ted traffic.

Regards

stephenw10

Yup that bug you were hitting is fixed in 25.03.

So the IPSec is setup as route mode (VTI)?

And traffic coming into the WAN is simply routed across it by the system routing which is populated by BGP?

Where do you have the NAT applied? Inbound on WAN or Outbound on VTI?

What do you have IPsec Filter Mode set to in the advanced IPSec settings? You would need that set as filter on VTI if you're outbound NATing there.

Blade1024

@stephenw10

Thank you for the bug clarification!
Yes, IPSec is in VTI mode creating the OPT1 interface and BGP is running over it. NAT is outbound for a specific subset of traffic going out via OPT1. Let me try the filter mode. I will come back in a sec.

Blade1024

@stephenw10

You are the hero, man! It works!!!! Thank a ton - you saved my lower back ;-)

That was a close call. Cheers and let me know where should I send beers to.

P.S.: Did you figure out the interfaces? I have the same behavior for commercial 24.11 release - the interface assignments do not survive the reboot.

stephenw10

Nope, I haven't found the interfaces issue yet. Let's dig into that further in the other thread.

Blade1024

@stephenw10

Let me know if you need any info.