Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New IPSEC tunnel with NAT: 1-way traffic

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 302 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Stewart
      last edited by

      I've done this before but can't see what I'm missing this time. Occasionally we have clients that work with a vendor that requires an IPSEC tunnel to their location but NAT must be set up on the tunnel. We've established the tunnel and it shows as up. We can ping their network but they are unable to reach devices inside our network. The setup is as follows:

      LAN IP: 192.x.x.x
      NATTED IP: 100.x.x.x
      Remote IP: 10.x.x.x

      If we ping from our 192.x.x.x range to an IP in their 10.x.x.x range, we get replies. If they ping us, they get no response. If watch a packet capture I get:
      IP 192.x.x.x > 10.x.x.x: ICMP echo request, id 42327, seq 0, length 64
      IP 10.x.x.x > 100.x.x.x: ICMP echo reply, id 42327, seq 0, length 64

      Could it be that the NATted IP they gave us is a Public IP and not a Private IP?

      S 1 Reply Last reply Reply Quote 0
      • S
        Stewart @Stewart
        last edited by

        @Stewart

        Well, I guess 100.64.0.0/10 isn't public after all. You learn something new every day! What's odd is that adding the appropriate firewall rule allowed the traffic to cross but I don't see anything logged in the firewall logs to show that the firewall is what stopped the communication.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.