P2 NAT/BINAT not translating

  • Hello,
    I have what seems like a simple NAT setup for a P2 IPSec tunnel but it is not translating. The tunnel is up and the far end, a Cisco, is seeing the original source address not the expected NAT address. I am running 2.4.3-RELEASE-p1 (amd64) as an AWS instance. The P2 setup is as follows: Tunnel IPv4, local network is, NAT/BINAT trans is, Remote network is The remote side is seeing traffic from instead of the address. The firewall service is disabled and no NAT is configured. A tcpdump shows the unaltered source address but I believe that is expected.

    Sample traffic from tcpdump.
    10:27:15.770886 IP > Flags [S], seq 1874224633, win 26883, options [mss 8961,sackOK,TS val 3261811242 ecr 0,nop,wscale 7], length 0

    Any ideas why this is not working as expected?


  • SPDs
    Source Destination Direction Protocol Tunnel Endpoints ► Outbound ESP -> xx.60.84.3 ◄ Inbound ESP xx.60.84.3 ->

  • I have narrowed the Local network and the NAT address to be just /32 addresses and still not working.

            con2:  IKEv2, dpddelay=10s
            con2:   local:  [xx.27.114.190] uses pre-shared key authentication
            con2:   remote: [xx.60.84.3] uses pre-shared key authentication
            con2:   child:| ===|/0 TUNNEL, dpdaction=restart
    Routed Connections:
            con2{11}:  ROUTED, TUNNEL, reqid 2
            con2{11}:| ===|/0
    Security Associations (2 up, 0 connecting):
            con2[5]: ESTABLISHED 6 minutes ago,[xx.27.114.190]...xx.60.84.3[xx.60.84.3]
            con2[5]: IKEv2 SPIs: 9973215998ae1d2c_i* 81fce56a6da1e126_r, rekeying disabled
            con2[5]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
            con2{9}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c37f8035_i 4b82b490_o
            con2{9}:  AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i (0 pkts, 396s ago), 2380 bytes_o (17 pkts, 0s ago), rekeying disabled
            con2{9}:| ===|/0
  • LAYER 8 Netgate

    The firewall service is disabled and no NAT is configured.

    What, exactly, does this mean?

  • In System, Advanced, Firewall & NAT, - Disable Firewall is selected, turning the device into a routing VPN device.
    In Firewall, NAT there are not any NAT definitions for any of the 4 sections other than the autocreated ones for ISAKMP.

    The only NAT is the NAT/BINAT setup in the IPSec tunnel config.

  • LAYER 8 Netgate

    OK. That NAT is still done using pf. Disabling that will disable IPsec NAT too just like that warning states.

  • Thank you that resolved it. I didn't realize the IPSec NAT and the firewall NAT were the same. Thanks again.