Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ipsec vti with custom outbound nat bug?

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 18 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      gbogado
      last edited by

      hello, i have an ipsec tunnel in vti mode agains a customer:

      49c3bc2c-cbeb-4f14-8418-86713ab496c9-image.png

      i also have a route towards this tunnel:

      fd31baee-d2a7-4d57-b1d3-d4e5d6f3e8be-image.png

      And i need to show myself in my customer network as 10.9.67.42.

      so the idea of the flow is:

      src my network --> nat to 10.9.67.42 --> customer network 170.186.42.x

      for this, i have setup:

      • ipsec rules any / any
      • the routes mentioned before 170.186.42.0/24 via vti If 10.9.34.65
      • an outbound nat rule:
      • NOTE: i did try changing the interface to ipsec, or vti, loopback, lan with the same result*

      b77b8027-cab3-4e58-ba1c-7558df73132d-image.png

      with this configuration, it was not working at all... i have checked the states, did debug with tcpdump and the other side was not receiving anything from my source (10.9.67.42) but vti tunnel could ping and such.

      after a few weeks, we came back to this topic and did the same configuration but we changed the tunnel to ikev2 and instead of translating to 10.9.67.42 we changed it to 10.9.67.41 as the customer requested.

      so here is the thing that i dont know if is a bug, or a feature or if im just lost =)

      since we had another ip to present ourselves towards the client, i added another OUTBOUND RULE...
      f5f78623-d31a-462c-a915-8b98e8d9f628-image.png

      and suddently, it worked like a charm (Unintentionally)...

      At first glance i said, "oh with ikev2 works, fine" but today i was checking some connections in the nat table, and i found this:

      0c923853-b1fb-4523-a16b-192656eb2d05-image.png

      my firewall was doing a chain of nats, and that was allowing me to reach the other side...

      if i disable any of the rules, it will stop working... and if i change the interfaces of the nat to use ipsec or opt in both rules it wont work as well... Also notice that the one with the opt interface is the one that will dictate the ip that will see my customer on the other side.

      i really would like to know if this is a bug, or if im confused, or if im making a mistake... i hope the community can take this out of my head...

      have a good week everyone,

      Guille

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.