Outbound NAT is breaking Routed IPsec
-
dear community,
after several hours of try&error we found out a very unhappy feature - i would call this bug, if you agree.See my setup:
Local LAN = 172.25.16.0/24
Server NET = 172.25.17.0/24
IPsec-Tunnel is up and running (Ph1 + Ph2 connection status = OK)
remote network in ipsec is 10.x.x.xthe "bug" is:
- remote can ping my network/devices
- I can not ping to remote
- I only can ping to remote within 60 seconds, when remote pinged me
- after 60seconds of last ping from remote, I cannot ping anymore
we tried several things and figured out, that our outbound NAT was forcing this problem. the outbound NAT was like:
- Hybrid Outbound NAT
- Mapping (we want to let people surf via special Public IP):
- Interface = WAN
- Source = ANY
- Destination = ANY
- NAT-Address = PublicIpForSurfing
once we disabled this mapping in outbound NAT - everything worked fine.
But the point I can not really understand is - if I change the mapping like:
- Interface = WAN
- Source = 172.25.0.0/16
- Destination = ANY
- NAT-Address = PublicIpForSurfing
the IPsec tunnel ist fine and working great - even I do same connection-tests like before.
So my source is inside 172.25.0.0/16 but
- NAT Source = ANY --> NOT WORKING
- NAT Source = 172.25.0.0/16 --> WORKING
please help me understanding if this is a bug or a feature
cheers