Outbound NAT on IPSec tunnel interface not working

[gromit]

I'm running OPNsense 21.7.5-amd64 in a HA setup and have an IPSec tunnel defined for road warrior use.  Most of the Phase 2 entries are to allow remote clients to access subnets on the OPNsense system (e.g., "LAN subnet").  One Phase 2 entry is to a single host accessible via public IP via the WAN interface of the OPNsense system.  Because this is a HA system, I'm using manual outbound NAT.  I have outbound NAT rules defined for the WAN interface so that traffic on "IPSec net" is NATted using the CARP address of the WAN interface.  For now, I allow all traffic to pass on the IPSec (enc0) interface.

Unfortunately, clients connected to the IPSec VPN are unable to reach the public IP through the VPN.  Tcpdump reveals that outbound NAT is not being performed: the client traffic passes out the WAN with the original IPSec client IP as the source address.

I do this on a pfSense box and it works there.  The setup is not quite the same: the pfSense is not HA and so just uses automatic, not manual, outbound NAT.  However, the implementation appears different.  On OPNsense, selecting "IPSec net" results in a rule like "nat on cxl0 inet from (enc0:network) to any -> ..." (cxl0 is WAN) whereas on pfSense there is an alias of IPs (tonatsubnets) automatically generated and a rule like "nat on $WAN inet from <tonatsubnets> to any -> ..." results.

The pf.conf man page states ":network" "Translates to the network(s) attached to the interface" however "enc0" does not have any IP addresses associated with it.

Is this the reason why outbound NAT isn't working in this case: because "(enc0:network)" does not evaluate to any IP address(es)?  On pfSense, the outbound NAT sources are explicit lists of IP addresses.

It should be noted that outbound NAT works on my OpenVPN VPN with "OpenVPN net" as the source.  However, the ovpns1 interface in the openvpn interface group does have IP addresses defined on it.

Is the correct solution for such outbound NAT to use "Single host or Network" and use the IPSec VPN subnet instead of selecting "IPSec net" for "Source address" in the manual outbound NAT definition for IPSec traffic?

[gromit]

Is the correct solution for such outbound NAT to use "Single host or Network" and use the IPSec VPN subnet instead of selecting "IPSec net" for "Source address" in the manual outbound NAT definition for IPSec traffic?

Following up on myself, it looks like this was the correct solution: using an explicit CIDR for the IPSec client network instead of "IPSec net" got outbound NAT working for me for that Phase 2 entry.