P2 NAT/BINAT not translating

IPsec
Log in to reply
  • D

    Hello,
    I have what seems like a simple NAT setup for a P2 IPSec tunnel but it is not translating. The tunnel is up and the far end, a Cisco, is seeing the original source address not the expected NAT address. I am running 2.4.3-RELEASE-p1 (amd64) as an AWS instance. The P2 setup is as follows: Tunnel IPv4, local network is 10.0.11.0/24, NAT/BINAT trans is 192.168.171.1, Remote network is 10.1.20.0/24. The remote side is seeing traffic from 10.0.11.30/32 instead of the 192.168.171.1 address. The firewall service is disabled and no NAT is configured. A tcpdump shows the unaltered source address but I believe that is expected.

    Sample traffic from tcpdump.
    10:27:15.770886 IP 10.0.11.30.38180 > 10.1.20.227.16718: Flags [S], seq 1874224633, win 26883, options [mss 8961,sackOK,TS val 3261811242 ecr 0,nop,wscale 7], length 0

    Any ideas why this is not working as expected?

    Thanks

    0
  • D

    SPDs
    Source Destination Direction Protocol Tunnel Endpoints
    10.0.11.0/24 10.1.20.0/24 ► Outbound ESP 10.0.1.144 -> xx.60.84.3
    10.1.20.0/24 192.168.171.1 ◄ Inbound ESP xx.60.84.3 -> 10.0.1.144

    0
  • D

    I have narrowed the Local network and the NAT address to be just /32 addresses and still not working.

    Connections:
        con2:  10.0.1.144...xx.60.84.3  IKEv2, dpddelay=10s
        con2:   local:  [xx.27.114.190] uses pre-shared key authentication
        con2:   remote: [xx.60.84.3] uses pre-shared key authentication
        con2:   child:  192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0 TUNNEL, dpdaction=restart
Routed Connections:
        con2{11}:  ROUTED, TUNNEL, reqid 2
        con2{11}:   192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0
Security Associations (2 up, 0 connecting):

        con2[5]: ESTABLISHED 6 minutes ago, 10.0.1.144[xx.27.114.190]...xx.60.84.3[xx.60.84.3]
        con2[5]: IKEv2 SPIs: 9973215998ae1d2c_i* 81fce56a6da1e126_r, rekeying disabled
        con2[5]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
        con2{9}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c37f8035_i 4b82b490_o
        con2{9}:  AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i (0 pkts, 396s ago), 2380 bytes_o (17 pkts, 0s ago), rekeying disabled
        con2{9}:   192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0
    0
  • Derelict
    LAYER 8 Netgate

    The firewall service is disabled and no NAT is configured.

    What, exactly, does this mean?

    0
  • D

    In System, Advanced, Firewall & NAT, - Disable Firewall is selected, turning the device into a routing VPN device.
    In Firewall, NAT there are not any NAT definitions for any of the 4 sections other than the autocreated ones for ISAKMP.

    The only NAT is the NAT/BINAT setup in the IPSec tunnel config.

    0
  • Derelict
    LAYER 8 Netgate

    OK. That NAT is still done using pf. Disabling that will disable IPsec NAT too just like that warning states.

    1
  • D

    Thank you that resolved it. I didn't realize the IPSec NAT and the firewall NAT were the same. Thanks again.

    1

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy