Outbound NAT to IPSec

[Jürgen Garbe]

Pop up
Any ideas?

[mimugmail]

Actually I'm a bit confused with all tests and test networks, etc.
Just to be sure, when you have only ONE Phase2 SA, everything works as expected?

[Jürgen Garbe]

Sorry for confusion...

Actually I am very sure that the actual version has 2 different problems:

1. If an  "Outbound NAT before IPSec" configuration is used,
- where one local net has to be NATed to one transport net
- which therefor comes with the need of adding "Manual SPD entries" in Phase2 definition of this tunnel
-> then the "traffic detection", which normally is able to start the tunnel, is not working. In consequence you have to manually start the tunnel.

2. If an  "Outbound NAT before IPSec" configuration is used,
- where one local net has to be NATed to one transport net
- which is the local net of 2 different IPSec Phase2 definitions I need to be able to reach 2 different remote nets (which also comes with the need of adding "Manual SPD entries", this time into both Phase2 definitions of this tunnel (one for each remote net)
-> then every outgoing traffic is forwarded only through the last defined Phase2 definition tunnel (see my last screenshot) and not to the correct one one, which corresponds to the Phase2 remote network.

Puh, sorry, but I was not able to describe it less complicated...

[mimugmail]

There is currently a limitations that nat on IPsec only works when using one Phase2

[Jürgen Garbe]

Yes,
but additionally, in case of just one Phase2, the traffic detection for the automatic tunnel start isn't working too...