P2 NAT/BINAT not translating

Danb

Hello,
I have what seems like a simple NAT setup for a P2 IPSec tunnel but it is not translating. The tunnel is up and the far end, a Cisco, is seeing the original source address not the expected NAT address. I am running 2.4.3-RELEASE-p1 (amd64) as an AWS instance. The P2 setup is as follows: Tunnel IPv4, local network is 10.0.11.0/24, NAT/BINAT trans is 192.168.171.1, Remote network is 10.1.20.0/24. The remote side is seeing traffic from 10.0.11.30/32 instead of the 192.168.171.1 address. The firewall service is disabled and no NAT is configured. A tcpdump shows the unaltered source address but I believe that is expected.

Sample traffic from tcpdump.
10:27:15.770886 IP 10.0.11.30.38180 > 10.1.20.227.16718: Flags [S], seq 1874224633, win 26883, options [mss 8961,sackOK,TS val 3261811242 ecr 0,nop,wscale 7], length 0

Any ideas why this is not working as expected?

Thanks

Danb

SPDs
Source Destination Direction Protocol Tunnel Endpoints
10.0.11.0/24 10.1.20.0/24 ► Outbound ESP 10.0.1.144 -> xx.60.84.3
10.1.20.0/24 192.168.171.1 ◄ Inbound ESP xx.60.84.3 -> 10.0.1.144

Danb

I have narrowed the Local network and the NAT address to be just /32 addresses and still not working.

Connections:
        con2:  10.0.1.144...xx.60.84.3  IKEv2, dpddelay=10s
        con2:   local:  [xx.27.114.190] uses pre-shared key authentication
        con2:   remote: [xx.60.84.3] uses pre-shared key authentication
        con2:   child:  192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0 TUNNEL, dpdaction=restart
Routed Connections:
        con2{11}:  ROUTED, TUNNEL, reqid 2
        con2{11}:   192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0
Security Associations (2 up, 0 connecting):

        con2[5]: ESTABLISHED 6 minutes ago, 10.0.1.144[xx.27.114.190]...xx.60.84.3[xx.60.84.3]
        con2[5]: IKEv2 SPIs: 9973215998ae1d2c_i* 81fce56a6da1e126_r, rekeying disabled
        con2[5]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
        con2{9}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c37f8035_i 4b82b490_o
        con2{9}:  AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i (0 pkts, 396s ago), 2380 bytes_o (17 pkts, 0s ago), rekeying disabled
        con2{9}:   192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0

Derelict

The firewall service is disabled and no NAT is configured.

What, exactly, does this mean?

Danb

In System, Advanced, Firewall & NAT, - Disable Firewall is selected, turning the device into a routing VPN device.
In Firewall, NAT there are not any NAT definitions for any of the 4 sections other than the autocreated ones for ISAKMP.

The only NAT is the NAT/BINAT setup in the IPSec tunnel config.

Derelict

OK. That NAT is still done using pf. Disabling that will disable IPsec NAT too just like that warning states.

Danb

Thank you that resolved it. I didn't realize the IPSec NAT and the firewall NAT were the same. Thanks again.