P2 NAT/BINAT not translating
-
Hello,
I have what seems like a simple NAT setup for a P2 IPSec tunnel but it is not translating. The tunnel is up and the far end, a Cisco, is seeing the original source address not the expected NAT address. I am running 2.4.3-RELEASE-p1 (amd64) as an AWS instance. The P2 setup is as follows: Tunnel IPv4, local network is 10.0.11.0/24, NAT/BINAT trans is 192.168.171.1, Remote network is 10.1.20.0/24. The remote side is seeing traffic from 10.0.11.30/32 instead of the 192.168.171.1 address. The firewall service is disabled and no NAT is configured. A tcpdump shows the unaltered source address but I believe that is expected.Sample traffic from tcpdump.
10:27:15.770886 IP 10.0.11.30.38180 > 10.1.20.227.16718: Flags [S], seq 1874224633, win 26883, options [mss 8961,sackOK,TS val 3261811242 ecr 0,nop,wscale 7], length 0Any ideas why this is not working as expected?
Thanks
-
SPDs
Source Destination Direction Protocol Tunnel Endpoints
10.0.11.0/24 10.1.20.0/24 ► Outbound ESP 10.0.1.144 -> xx.60.84.3
10.1.20.0/24 192.168.171.1 ◄ Inbound ESP xx.60.84.3 -> 10.0.1.144 -
I have narrowed the Local network and the NAT address to be just /32 addresses and still not working.
Connections: con2: 10.0.1.144...xx.60.84.3 IKEv2, dpddelay=10s con2: local: [xx.27.114.190] uses pre-shared key authentication con2: remote: [xx.60.84.3] uses pre-shared key authentication con2: child: 192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0 TUNNEL, dpdaction=restart Routed Connections: con2{11}: ROUTED, TUNNEL, reqid 2 con2{11}: 192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0 Security Associations (2 up, 0 connecting): con2[5]: ESTABLISHED 6 minutes ago, 10.0.1.144[xx.27.114.190]...xx.60.84.3[xx.60.84.3] con2[5]: IKEv2 SPIs: 9973215998ae1d2c_i* 81fce56a6da1e126_r, rekeying disabled con2[5]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 con2{9}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c37f8035_i 4b82b490_o con2{9}: AES_CBC_256/HMAC_SHA2_512_256, 0 bytes_i (0 pkts, 396s ago), 2380 bytes_o (17 pkts, 0s ago), rekeying disabled con2{9}: 192.168.171.1/32|10.0.11.30/32 === 10.1.20.0/24|/0
-
The firewall service is disabled and no NAT is configured.
What, exactly, does this mean?
-
In System, Advanced, Firewall & NAT, - Disable Firewall is selected, turning the device into a routing VPN device.
In Firewall, NAT there are not any NAT definitions for any of the 4 sections other than the autocreated ones for ISAKMP.The only NAT is the NAT/BINAT setup in the IPSec tunnel config.
-
OK. That NAT is still done using pf. Disabling that will disable IPsec NAT too just like that warning states.
-
Thank you that resolved it. I didn't realize the IPSec NAT and the firewall NAT were the same. Thanks again.