Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    1. Home
    2. Tags
    3. ipsec routing
    Log in to post
    • All categories
    • S

      Outbound NAT over IPSEC tunnel not working

      Watching Ignoring Scheduled Pinned Locked Moved NAT outbound nat ipsec ipsec routing meraki
      7
      0 Votes
      7 Posts
      363 Views
      S

      @viragomann said in Outbound NAT over IPSEC tunnel not working:

      @shaunmccloud said in Outbound NAT over IPSEC tunnel not working:

      And the minute I add a P2 entry in my pfSense box for a remote network of 0.0.0.0/0, all network traffic but local dies.

      So I'd assume, that the traffic is routed over the VPN, but not out on WAN.

      But this is only the half of the battle. The traffic must be natted on the remote site

      If the Meraki doesn't masquerade your subnets there is no way to go out to the internet through it.

      I decided to cheat, and throw a virtual pfSense box in the data center to connect to. I'll see how that works tomorrow.

    • A

      No routing between vti tunnels

      Watching Ignoring Scheduled Pinned Locked Moved IPsec ipsec routing vti no route
      2
      0 Votes
      2 Posts
      169 Views
      A

      Update 2: Fixed it. It is not so clear that vti interfaces ip addresses have to be routed also. To make it simple: use single /24 subnet for all vti tunnels and add this subnet to "Static routes" at every site

    • F

      IPSec tunnel questions

      Watching Ignoring Scheduled Pinned Locked Moved IPsec ipsec routing
      4
      0 Votes
      4 Posts
      579 Views
      V

      @freddy550
      No. Your IPSec configuration has to be aware of the NAT, otherwise it will not connect.

      Imagine, the remote site is 192.168.20.0/24 and it is natted to 10.227.56.0/24. So your phase 2 has to use 10.227.56.0/24 as remote network to connect to.

    • A

      redirect to PFsense IPsec tunnel endpoit which has public IP

      Watching Ignoring Scheduled Pinned Locked Moved IPsec ipsec ipsec routing route gateway nat
      5
      0 Votes
      5 Posts
      567 Views
      A

      @viragomann
      It is policy-based tunnel (Tunnel IPv4).

      Phase2 is working (status connected).

      Status->SystemLogs->IPSEc has no corresponding entries.

      But you said " and the subnet is not routed through the tunnel": This is exactly the problem - how to do this? As there are no thus options in the IPSec tunnel settings ("NAT/BINAT translation" should not be the corresponding option.)

    • N

      Route traffic through ipsec tunnel

      Watching Ignoring Scheduled Pinned Locked Moved IPsec ipsec routing
      10
      0 Votes
      10 Posts
      1k Views
      N

      @viragomann We got it sorted out....

      on the main the tunnel to the 3rd party on the local network was using 1.0/24 and this needed to be 0.0/16

    • N

      Access device via openvpn through ipsec tunnel

      Watching Ignoring Scheduled Pinned Locked Moved IPsec ipsec routing openvpn config
      11
      0 Votes
      11 Posts
      1k Views
      V

      @nick-loenders
      Anyway, if you have sequenced subnets like these you can embrace them in the p2 using an appropriate mask. But with a local LAN of 10.0.1.0/24 you run into risk of overlapping.

      So if the LAN here is 10.0.1.0/24 you could only merge tunnel 2 and 3 by stating 10.0.2.0/23 as the remote network.

      If you have control over all involved site you should consider this when designing the networks.

    • S

      Routing advice for distant networks available through IPSec tunnel

      Watching Ignoring Scheduled Pinned Locked Moved Routing and Multi WAN sophos utm ipsec routing ipsec
      3
      0 Votes
      3 Posts
      785 Views
      S

      @viragomann I thought it would not work because the additional encryption domains, are not local to the Sophos either
      But thanks, I will give it a try.