P2 NAT/BINAT not translating

Danb · Mar 12, 2019, 5:28 PM

Hello,
I have what seems like a simple NAT setup for a P2 IPSec tunnel but it is not translating. The tunnel is up and the far end, a Cisco, is seeing the original source address not the expected NAT address. I am running 2.4.3-RELEASE-p1 (amd64) as an AWS instance. The P2 setup is as follows: Tunnel IPv4, local network is 10.0.11.0/24, NAT/BINAT trans is 192.168.171.1, Remote network is 10.1.20.0/24. The remote side is seeing traffic from 10.0.11.30/32 instead of the 192.168.171.1 address. The firewall service is disabled and no NAT is configured. A tcpdump shows the unaltered source address but I believe that is expected.

Sample traffic from tcpdump.
10:27:15.770886 IP 10.0.11.30.38180 > 10.1.20.227.16718: Flags [S], seq 1874224633, win 26883, options [mss 8961,sackOK,TS val 3261811242 ecr 0,nop,wscale 7], length 0

Any ideas why this is not working as expected?

Thanks

Danb · Mar 12, 2019, 5:44 PM

SPDs
Source Destination Direction Protocol Tunnel Endpoints
10.0.11.0/24 10.1.20.0/24 ► Outbound ESP 10.0.1.144 -> xx.60.84.3
10.1.20.0/24 192.168.171.1 ◄ Inbound ESP xx.60.84.3 -> 10.0.1.144

Danb · Mar 12, 2019, 7:20 PM

I have narrowed the Local network and the NAT address to be just /32 addresses and still not working.

Connections:
        con2:  10.0.1.144...xx.60.84.3  IKEv2, dpddelay=10s
        con2:   local:  [xx.27.114.190] uses pre-shared key authentication
        con2:   remote: [xx.60.84.3] uses pre-shared key authentication
        con2:   child:  192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0 TUNNEL, dpdaction=restart
Routed Connections:
        con2{11}:  ROUTED, TUNNEL, reqid 2
        con2{11}:   192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0
Security Associations (2 up, 0 connecting):

        con2[5]: ESTABLISHED 6 minutes ago, 10.0.1.144[xx.27.114.190]...xx.60.84.3[xx.60.84.3]
        con2[5]: IKEv2 SPIs: 9973215998ae1d2c_i* 81fce56a6da1e126_r, rekeying disabled
        con2[5]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
        con2{9}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c37f8035_i 4b82b490_o
        con2{9}:  AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i (0 pkts, 396s ago), 2380 bytes_o (17 pkts, 0s ago), rekeying disabled
        con2{9}:   192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0

Derelict · Mar 13, 2019, 7:15 AM

The firewall service is disabled and no NAT is configured.

What, exactly, does this mean?

Danb · Mar 13, 2019, 4:16 PM

In System, Advanced, Firewall & NAT, - Disable Firewall is selected, turning the device into a routing VPN device.
In Firewall, NAT there are not any NAT definitions for any of the 4 sections other than the autocreated ones for ISAKMP.

The only NAT is the NAT/BINAT setup in the IPSec tunnel config.

Derelict · Mar 13, 2019, 5:53 PM

OK. That NAT is still done using pf. Disabling that will disable IPsec NAT too just like that warning states.

Danb · Mar 13, 2019, 10:05 PM

Thank you that resolved it. I didn't realize the IPSec NAT and the firewall NAT were the same. Thanks again.