IPSec NAT IP not working

luquinhasdainfra · Dec 27, 2023, 10:37 PM

I have a IPSEC Tunnel that is configured to send packages to a NAT / BINAT IP

75134a43-8c6a-4cba-af13-869e35e494e6-image.png

As you can see, the NAT ip is 172.21.3.68

But, the Fortigate log shows that the IP that is sending the package is 172.21.1.68

4a9b5760-386a-4dac-b1be-7a90f5cd6af0-image.png

My pfSense logs shows the same thing, the actual IP that is sending the packages is different than the IP configured in the IPSEC

d57d4949-c79d-4fad-be2b-53cde528704d-image.png

Any help is greatly appreciated.

luquinhasdainfra · Dec 27, 2023, 10:40 PM

The images didn't load on the firts post...

Here it goes:

🔒 Log in to view

viragomann · Dec 28, 2023, 10:14 AM

@luquinhasdainfra
To nat to a single IP, pfSense gives you the type option "Address". So you should change this. However, I don't expect, that this makes a difference.

Is this the only one phase 2 for this connection? If there are multiple please post the order.

luquinhasdainfra · Dec 28, 2023, 10:55 AM

@viragomann This is the only P2 connection,

The address IP is set as the first image shows, it is poiting to 172.21.3.68 but the connections are going through the ip 172.21.1.68

viragomann · Dec 28, 2023, 11:42 AM

@luquinhasdainfra
I was talking about this option:
🔒 Log in to view

luquinhasdainfra · Dec 28, 2023, 11:52 AM

@viragomann I figured out how to configure it...

Actually, it needs a 1:1 NAT to work well. I don't understand why only this tunnel need this configuration.

🔒 Log in to view

Thank you for the replies, have a great day.

viragomann · Dec 28, 2023, 8:19 PM

@luquinhasdainfra
Conventional NAT rules do not have any affect on policy-based IPSec traffic at all. You can use it for VTI, however.

luquinhasdainfra · Dec 28, 2023, 8:19 PM

@viragomann

That's really strange, so...

When the 1:1 NAT is createad the IPSEC works fine, but without him it sends it to a wrong NAT IP,

I already checked all my rules and NAT, i never set the IPSEC or any rule / route to send it to the IP 172.21.1.68, instead, i configured the IPSEC to NAT it to 172.21.3.68

viragomann · Dec 28, 2023, 9:36 PM

@luquinhasdainfra
Which device is the shown internal IP in the NAT 1:1 rule? Is it a device in the LAN or the pfSense interface IP?

Basically you NAT rule should translate the source address of outbound traffic over IPSec from the stated internal IP to 172.21.3.68. But never heard, that this would work with a policy-based IPSec tunnel.

luquinhasdainfra · Dec 29, 2023, 12:34 AM

@viragomann

The internal IP in the 1:1NAT it's a computer from our LAN network