NAT before IPSec

Started by GaardenZwerch, August 14, 2019, 11:05:05 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 14, 2019, 11:05:05 AM
Hi,

I have a local Network (192.168.0.0/24) that needs to be NATed (to 10.203.207.0/24) before it goes into the IPSec Tunnel.
When the Tunnel is up, this works perfectly fine. (ie I have a NAT defined(on the IPSec device), and added a Manual SPD entry for 192.168.0.0/24)
However, hosts from the local Network (192.168.0.0/24) can't get the Tunnel up.
Code Select
ping -S 192.168.0.1 other.side does nothing whereas
Code Select
ping -S 10.203.207.1 other.side pulls the tunnel up (I have added a virtual IP for 10.203.207.1 on the same interface as 192.168.0.1)

Could this bit from the changelog in 19.7.x solve my Problem?
Quoteipsec: use interface IP address in local ID when doing NAT before IPsec

Thanks a lot
August 26, 2019, 11:10:41 AM #1
The release note is not related to your problem. Have you also tried pinging from a real system in your LAN or only from the firewall via "-S"?
August 26, 2019, 11:26:52 AM #2
Hello MiMu,

yes, there is a nagios server (192.168.0.2) in that network that checks availability of servers 'on the other side'. It gets replies, but only if the Tunnel is up.

Can I post any additional info that might be useful?
Thanks
August 26, 2019, 02:17:12 PM #3
Hm, my tunnels are always up. Maybe it's worth checking why the tunnel itself goes down.
August 26, 2019, 04:15:19 PM #4
Hmm,

I have no control over the remote side of the connection, so this is not easy. Leaving it on 'connect on traffic' is a requirement from the remote side.

My BINAT rule generates the following:
Code Select
binat on enc0 inet from 192.168.0.0/24 to <BO_NETS> -> 10.203.207.0/24

but when the tunnel is down, traffic from 192.168.0.0/24 will not get routed to enc0. I suspect that this is the root of the problem.


August 26, 2019, 04:19:35 PM #5
Yes, because there is no known route. Why not set mode to "start immediate" .. I don't think remote site will claim about it .. not even get aware of it.
August 26, 2019, 04:47:49 PM #6
somehow, the tunnel closes every now and then (after inactivity?), even if I leave it at 'Start immediate' (tried this before), it will eventually go down, and my side won't be able to get it up again. Figuring out why the tunnel goes away is hard, as I don't control the other side. On my side, is it possible to get a log over a longer period of time?




August 26, 2019, 05:19:14 PM #7
You can increase system logging and catch it via CLI:

clog /var/log/ipsec.log
Print
Go Up Pages1
User actions