New Member
Posts: 18
Registered: ‎04-09-2014
Kudos: 2
Solutions: 1
Accepted Solution

masquerade into ipsec remote network

Hello guys, i have fully working ipsec setup:

 

remote subnet: 10.64.135.0/24

local subnet: 10.66.23.0/28

 

my interfaces:

 

eth0 - default gateway into internet

eth1 - 10.66.23.1/28

eth2 - 192.168.155.0/24

 

i want to pass traffic from eth2 (192.168.155.0/24) into ipsec remote network (10.64.135.0/24)

 

example: if request from 192.168.155.2 is made to 10.64.135.10, masquerade source ip as 10.66.23.3

 

i have this configuration:

 

nat {
         rule 5000 {
             description dns_fixtest
             destination {
                 group {
                     address-group my_group
                 }
             }
             log disable
             outbound-interface eth1
             outside-address {
                 address 10.66.23.3
             }
             protocol all
             source {
                 group {
                     network-group localnet
                 }
             }
             type source
         }
     }

my_group is 10.64.135.10

localnet 192.168.155.0/24

 

but this is just not working... packet count on this rule is 0.


Accepted Solutions
Veteran Member
Posts: 8,088
Registered: ‎03-24-2016
Kudos: 2124
Solutions: 929

Re: masquerade into ipsec remote network

For the NAT rule, outgoing interface is the one having IP 192.168.139.199

View solution in original post


All Replies
Veteran Member
Posts: 8,088
Registered: ‎03-24-2016
Kudos: 2124
Solutions: 929

Re: masquerade into ipsec remote network

Probably, you're using ipsec-autofirewall-nat-exclude thingy.

It introduces its own NAT exclude rule for the remote subnet....which comes before your rule.

 

Disable the auto rule, and replace it by all manual rules. When things work as they do now , then try adding your masquerade rule

 

from memory you need these rules:

wan_local:  allow ESP , UDP500 and UDP5000

wan_Local:  allow "match_ipsec"  from LAN IP addresses in use

Wan_In:  allow match ipsec for source remote subnet, destination local subnet

Add NAT exclude rule for destination=remote subnet , and make sure it comes before current masquerade rule

 

Moreover, toggling autofirewall-nat-exclude might require reboot

New Member
Posts: 18
Registered: ‎04-09-2014
Kudos: 2
Solutions: 1

Re: masquerade into ipsec remote network

[ Edited ]

thank you for the reply. I dont have any nat now, so i dont use any "auto-firewall-nat-exclude" (asi you can see in my vpn config) because it's not needed.

 

what outbound interface should i use in snat rule when i want to nsat to some of the local ip of the local ipsec network?

 

EDIT: i just figured out i dont post my vpn config yet, so here it is:

ipsec {
     esp-group upvs {
         compression disable
         lifetime 3600
         mode tunnel
         pfs dh-group5
         proposal 1 {
             encryption aes256
             hash sha512
         }
     }
     ike-group upvs {
         key-exchange ikev1
         lifetime 86400
         mode main
         proposal 1 {
             dh-group 5
             encryption aes256
             hash sha512
         }
     }
     site-to-site {
         peer xxx.xxx.191.223 {
             authentication {
                 id xxx.xxx.171.98
                 mode pre-shared-secret
                 pre-shared-secret **********
                 remote-id example@example.example
             }
             connection-type initiate
             default-esp-group upvs
             ike-group upvs
             local-address 192.168.139.199
             tunnel 1 {
                 esp-group upvs
                 local {
                     prefix 10.66.23.0/28
                 }
                 remote {
                     prefix 10.64.135.0/24
                 }
             }
         }
     }
 }
Veteran Member
Posts: 8,088
Registered: ‎03-24-2016
Kudos: 2124
Solutions: 929

Re: masquerade into ipsec remote network

For the NAT rule, outgoing interface is the one having IP 192.168.139.199

New Member
Posts: 18
Registered: ‎04-09-2014
Kudos: 2
Solutions: 1

Re: masquerade into ipsec remote network


@16again wrote:

For the NAT rule, outgoing interface is the one having IP 192.168.139.199


 

This worked pretty well. Thank you 16again.