NAT before IPSec

[GaardenZwerch]

Hi,

I have a local Network (192.168.0.0/24) that needs to be NATed (to 10.203.207.0/24) before it goes into the IPSec Tunnel.
When the Tunnel is up, this works perfectly fine. (ie I have a NAT defined(on the IPSec device), and added a Manual SPD entry for 192.168.0.0/24)
However, hosts from the local Network (192.168.0.0/24) can't get the Tunnel up.

Code: [Select]

ping -S 192.168.0.1 other.side does nothing whereas

Code: [Select]

ping -S 10.203.207.1 other.side pulls the tunnel up (I have added a virtual IP for 10.203.207.1 on the same interface as 192.168.0.1)

Could this bit from the changelog in 19.7.x solve my Problem?

ipsec: use interface IP address in local ID when doing NAT before IPsec

Thanks a lot

[mimugmail]

The release note is not related to your problem. Have you also tried pinging from a real system in your LAN or only from the firewall via "-S"?

[GaardenZwerch]

Hello MiMu,

yes, there is a nagios server (192.168.0.2) in that network that checks availability of servers 'on the other side'. It gets replies, but only if the Tunnel is up.

Can I post any additional info that might be useful?
Thanks

[mimugmail]

Hm, my tunnels are always up. Maybe it's worth checking why the tunnel itself goes down.

[GaardenZwerch]

Hmm,

I have no control over the remote side of the connection, so this is not easy. Leaving it on 'connect on traffic' is a requirement from the remote side.

My BINAT rule generates the following:

Code: [Select]

binat on enc0 inet from 192.168.0.0/24 to <BO_NETS> -> 10.203.207.0/24
but when the tunnel is down, traffic from 192.168.0.0/24 will not get routed to enc0. I suspect that this is the root of the problem.

[mimugmail]

Yes, because there is no known route. Why not set mode to "start immediate" .. I don't think remote site will claim about it .. not even get aware of it.

[GaardenZwerch]

somehow, the tunnel closes every now and then (after inactivity?), even if I leave it at 'Start immediate' (tried this before), it will eventually go down, and my side won't be able to get it up again. Figuring out why the tunnel goes away is hard, as I don't control the other side. On my side, is it possible to get a log over a longer period of time?

[mimugmail]

You can increase system logging and catch it via CLI:

clog /var/log/ipsec.log