@viragomann said in Outbound NAT over IPSEC tunnel not working:

@shaunmccloud said in Outbound NAT over IPSEC tunnel not working:

And the minute I add a P2 entry in my pfSense box for a remote network of 0.0.0.0/0, all network traffic but local dies.

So I'd assume, that the traffic is routed over the VPN, but not out on WAN.

But this is only the half of the battle. The traffic must be natted on the remote site

If the Meraki doesn't masquerade your subnets there is no way to go out to the internet through it.

I decided to cheat, and throw a virtual pfSense box in the data center to connect to. I'll see how that works tomorrow.

Update 2: Fixed it. It is not so clear that vti interfaces ip addresses have to be routed also. To make it simple: use single /24 subnet for all vti tunnels and add this subnet to "Static routes" at every site

@freddy550
No. Your IPSec configuration has to be aware of the NAT, otherwise it will not connect.

Imagine, the remote site is 192.168.20.0/24 and it is natted to 10.227.56.0/24. So your phase 2 has to use 10.227.56.0/24 as remote network to connect to.

@viragomann
It is policy-based tunnel (Tunnel IPv4).

Phase2 is working (status connected).

Status->SystemLogs->IPSEc has no corresponding entries.

But you said " and the subnet is not routed through the tunnel": This is exactly the problem - how to do this? As there are no thus options in the IPSec tunnel settings ("NAT/BINAT translation" should not be the corresponding option.)

@viragomann We got it sorted out....

on the main the tunnel to the 3rd party on the local network was using 1.0/24 and this needed to be 0.0/16

@nick-loenders
Anyway, if you have sequenced subnets like these you can embrace them in the p2 using an appropriate mask. But with a local LAN of 10.0.1.0/24 you run into risk of overlapping.

So if the LAN here is 10.0.1.0/24 you could only merge tunnel 2 and 3 by stating 10.0.2.0/23 as the remote network.

If you have control over all involved site you should consider this when designing the networks.

@viragomann I thought it would not work because the additional encryption domains, are not local to the Sophos either
But thanks, I will give it a try.