Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    IPsec with NAT Requires Traffic Initiation From One Side?

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 159 Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • planedropP Offline
      planedrop
      last edited by

      Forgive me if this is obvious, but if you use NAT within an IPsec configuration on one site, does this mean that traffic can't come from the opposite site?

      As I understood it, based on the docs, this should only be true if NATing to a single IP address, but I'm NATing the entire subnet.

      For more detail:
      Site A: 10.10.12.0/24 network is setup in Phase 2 with NAT enabled and set to Network and listed as 172.16.51.0/24
      Site B: 192.168.15.0/24 network is setup in Phase to and is set to go to the remote network of 172.16.51.0/24

      There is a host listening on 10.10.12.10 and another host on 192.168.15.10

      If I ping from 192.168.15.10 I never get responses, it hits the rule on Site Bs LAN tab and I can capture the packets on the IPsec tab just fine.

      However, these packets never seem to hit the IPsec tab on Site A, the rules on that tab are never triggered and there is no traffic when doing a pcap.

      But, if I ping from 10.10.12.10 to 192.168.15.10 I get responses, and then once the states are set in place I can ping from 192.168.15.10 just fine as well.

      Shouldn't pinging the NATed subnet still work even if the subnet at Site A hasn't initiated any traffic yet?

      I feel like I'm missing something really obvious here.

      planedropP 1 Reply Last reply Reply Quote 0
      • planedropP Offline
        planedrop @planedrop
        last edited by

        To add to this, it seems that the packets are just never ending up on the IPsec interface of Site A.

        I can see that the ESP packets are hitting the interface they should be on pfSense (it's not really WAN but we can call it that), but they just don't actually get routed back through to the IPsec interface.

        I am not sure what would be dropping them at this point though, seems the state table isn't being opened or something.

        The SPD has the proper NATed subnet listed in it too so it's definitely correctly setup.

        Am I crazy in thinking this should work? Since this basically 1:1 NATs every IP within the /24 subnets that I have setup, shouldn't traffic destined for any 172.16.51.xxx IP be translated over to the 10.10.12.xxx equivalent IP?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.