P2 NAT/BINAT not translating



  • Hello,
    I have what seems like a simple NAT setup for a P2 IPSec tunnel but it is not translating. The tunnel is up and the far end, a Cisco, is seeing the original source address not the expected NAT address. I am running 2.4.3-RELEASE-p1 (amd64) as an AWS instance. The P2 setup is as follows: Tunnel IPv4, local network is 10.0.11.0/24, NAT/BINAT trans is 192.168.171.1, Remote network is 10.1.20.0/24. The remote side is seeing traffic from 10.0.11.30/32 instead of the 192.168.171.1 address. The firewall service is disabled and no NAT is configured. A tcpdump shows the unaltered source address but I believe that is expected.

    Sample traffic from tcpdump.
    10:27:15.770886 IP 10.0.11.30.38180 > 10.1.20.227.16718: Flags [S], seq 1874224633, win 26883, options [mss 8961,sackOK,TS val 3261811242 ecr 0,nop,wscale 7], length 0

    Any ideas why this is not working as expected?

    Thanks



  • SPDs
    Source Destination Direction Protocol Tunnel Endpoints
    10.0.11.0/24 10.1.20.0/24 ► Outbound ESP 10.0.1.144 -> xx.60.84.3
    10.1.20.0/24 192.168.171.1 ◄ Inbound ESP xx.60.84.3 -> 10.0.1.144



  • I have narrowed the Local network and the NAT address to be just /32 addresses and still not working.

    Connections:
            con2:  10.0.1.144...xx.60.84.3  IKEv2, dpddelay=10s
            con2:   local:  [xx.27.114.190] uses pre-shared key authentication
            con2:   remote: [xx.60.84.3] uses pre-shared key authentication
            con2:   child:  192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0 TUNNEL, dpdaction=restart
    Routed Connections:
            con2{11}:  ROUTED, TUNNEL, reqid 2
            con2{11}:   192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0
    Security Associations (2 up, 0 connecting):
    
            con2[5]: ESTABLISHED 6 minutes ago, 10.0.1.144[xx.27.114.190]...xx.60.84.3[xx.60.84.3]
            con2[5]: IKEv2 SPIs: 9973215998ae1d2c_i* 81fce56a6da1e126_r, rekeying disabled
            con2[5]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
            con2{9}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c37f8035_i 4b82b490_o
            con2{9}:  AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i (0 pkts, 396s ago), 2380 bytes_o (17 pkts, 0s ago), rekeying disabled
            con2{9}:   192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0
    
    
    

  • LAYER 8 Netgate

    The firewall service is disabled and no NAT is configured.

    What, exactly, does this mean?



  • In System, Advanced, Firewall & NAT, - Disable Firewall is selected, turning the device into a routing VPN device.
    In Firewall, NAT there are not any NAT definitions for any of the 4 sections other than the autocreated ones for ISAKMP.

    The only NAT is the NAT/BINAT setup in the IPSec tunnel config.


  • LAYER 8 Netgate

    OK. That NAT is still done using pf. Disabling that will disable IPsec NAT too just like that warning states.



  • Thank you that resolved it. I didn't realize the IPSec NAT and the firewall NAT were the same. Thanks again.


Log in to reply