IPsec + NAT Port Forward - Reply packet seems to get lost



  • Hi there,

    I am stuck with some NAT / IPsec traffic routing problem.

    Following setup:

    (1)
    My PC (SourceIP1-TargetIP1) ->

    (2)
    Router#1 (SourceIP2 - TargetIP1) ->

    • Device will do SNAT for TargetIP1Subnet
    • SourceIP is always the same

    (3)
    Router#2 (SourceIP2 - TargetIP1) ->

    • R#2 has an IPsec Tunnel to R#3
    • Phase 2 = SourceIP2 -> TargetIP1Subnet

    (4)
    Router#3 (SourceIP2 - TargetIP2) ->

    • Port Foward (or DNAT) for TargetIP1 to TargetIP2 (single IP match (if this is finally working there will be plenty of single server IPs which I need to NAT))
    • R#3 has an IPsec Tunnel#1 to R#2
    • R#3-T#1 Phase 2 = TargetIP1Subnet -> SourceIP2
    • R#3 has another IPsec Tunnel#2 to an external router (managed by so else/customer)
    • R#3-T#2 Phase 2 = SourceIP2 -> TargetIP2Subnet

    Hope this makes any sense :D

    Now when I do some PING from MyPC (SourceIP1) to TargetIP1 and monitor traffic on R#2+R#3 I see the following:

    R#2:

    • ICMP request from SourceIP2 to TargetIP1

    R#3:

    • ICMP request from SourceIP2 to TargetIP1
    • ICMP request from SourceIP2 to TargetIP2 (seems like NAT Port Forward is working here)
    • ICMP reply from TargetIP2 to SourceIP2

    I would expect another line on R#3 where it says "ICMP reply from TargetIP1 to SourceIP2" and the same on R#2

    Am I doing sth completely wrong here? Or will this not work by design or other reasons? Will reply traffic not automatically get NATted back to is original IP?
    Any hints what could be wrong greatly appreciated.

    Thanks in advance
    Best regards
    grumpy-bit


Log in to reply