Mobile IPsec NAT/BINAT entries missing from firewall rules
Adding a NAT or BINAT to a mobile IPsec configuration does not work.
The nat rules are not added to the pf configuration.
This is true for 1:1 and Many:1
Updated by Jim Pingle 5 months ago
- Target version set to 2.6.0
- Plus Target Version set to 21.09
Noting here what I mentioned on Slack:
- This is likely due to the fact that the "remote" network on mobile P2s is from the mobile settings and not defined inside the P2.
- The logic building the 1:1 NAT rules may be skipping these either because the remote is empty, or because it's mobile, or both.
- This could work for well-defined mobile address pools (maybe not per-user pools, though), but definitely isn't viable for RADIUS-assigned addresses since there is no way for the firewall to know what those are.
Updated by Chris Linstruth 5 months ago
Documenting a possible workaround:
If you have the following Mobile IPsec configuration:
Mobile Virtual Address Pool: 172.16.17.0/24
Mobile Phase 2 Local Network: 192.168.1.0/24
Mobile Phase 2 BINAT Network: 10.11.12.0/24
You can leave that configuration in IPsec (to make the traffic interesting to IPsec) and add the following 1:1 NAT entry in Firewall > NAT, 1:1
External Subnet IP: 10.11.12.0
Internal network: 192.168.1.0/24
Destination network: 172.16.17.0/24
That will give you this in the rule set:
binat on enc0 inet from 192.168.1.0/24 to 172.16.17.0/24 -> 10.11.12.0/24