topic Re: Problem with IPSEC tunnel and source NAT in Firewall and Security Management

Problem with IPSEC tunnel and source NAT

SRE_Tuenti — Thu, 01 Feb 2018 09:53:16 GMT

Hello

We have a problem with an appliance running R77.40, IPSEC and source NAT.

Scenario:

- A Star IPSEC VPN with two Gateways (let's call our site Alice and the opposite side Bob)

- Our (Alice) R77.30 with public IP, oposite side (Bob) Cisco ASA with public IP, so no NAT-T. Let's say 8.8.8.8 Alice and 4.4.4.4 the Bob.

- both sites have internal private IPs. Let's say 10.10.10.0/24 in Alice and 192.168.1.0/24 in the Bob.

To avoid overlaping problems in the future we agreed in using a small range of public IP in each side with NAT. Let's say 192.0.2.0/28 in Alice and 13.13.13.0/28 in the Bob, so we need to apply NAT

- Both public ranges and Alice IP range are included in the encryption domains

Traffic from the opposite side to one of our hosts success:

- I (Alice) have a Policy: Source: Bob_enc_domain (their publi) Destination: (Alice encryption domain, public and private IPs), VPN: the Community Service: Any Action: accept

- And the NAT: Original source: Public IP 1 of Bob, Original destination: Public IP 1 of Alice. Service 443. Translated source: internal IP of Alice FW (CheckPoint), Translated destination: internal private IP of Alice. service: original

BUT (This is the problem):

Traffic form Alice side to Bob doesn't work.

I tried many scenarios. The current one:

- Traffic originated from Alice internal machine, Source IP, internal (included in Alice encryption domain), Destination IP, Bob public IP (included in Bob encryption domain)

- Firewall rules (tried many): source: Alice internal private IP, destination: Bob Encription domain, VPN: Community. sevice any.

- NAT rules (33): Original source: Alice internal private IP, Original destination: Bob public IP, Service 10001 Translated source: Public IP 1 of Alice Translated destination: Original translated service:Original

This fails with an error: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information

In the same dialog I see:

NAT Rule number: 33

NAT additional Rule... 1

But no Xlated address appear.

Acording to what I've read, this should work, but it don't.

Can anybody give me some hints?

Re: Problem with IPSEC tunnel and source NAT

KennyManrique — Thu, 01 Feb 2018 19:22:57 GMT

Hello SRE,

I assumpt you are using the nat scenario for client to server traffic (specific servers only).

Have you made a debug to see which networks are being negotiated? You can follow this SK in case you didn't How to run complete VPN debug on Security Gateway to troubleshoot VPN issues?

If you already include your local network (10.10.10.0/24) and your nated network (192.0.2.0/28) on your local encription domain, then you have to do the same for remote peer encryption domain, this way you are telling the gateway that nated range of Bob belongs to the VPN along with its local network.

Since your error is no valid SA it seems the tunnel is not establishing when you initiate the traffic. You can verify the following SK: VPN Site-to-Site with 3rd party on Scenario 1 and manually negotiate the nated networks with the peer.

Regards.

Re: Problem with IPSEC tunnel and source NAT

SRE_Tuenti — Mon, 05 Feb 2018 13:35:06 GMT

Hi Kenny

Sorry for the delay in answering you. Thanks for the information and links.

The other partner shut down his side of the tunnel last Friday and we're waiting for them to do more tests.

I'll try to keep you informed.

Regards