| 72.8. IPSEC | ||
|---|---|---|
 | Chapter 72. FAQ - Frequently Asked Questions |  |
| 72.8. IPSEC | ||
|---|---|---|
| | Chapter 72. FAQ - Frequently Asked Questions | |
The interaction between NAT and IPSEC changes updating from 6.5.x to 7.0.x and this may cause the outgoing traffic blocking.
Example: assuming to have:
an INSIDE tunnel whose traffic goes out through an OUTSIDE interface;
a NAT rule for the OUTSIDE interfaces used by the INSIDE tunnel;
the ip addresses belonging to that tunnel must not to be involved in the NAT rule.
The following is the configuration of ike hosts and ike clients:
[19:41:29] ABILIS_CPX:d ike host---------------------------------------------------------------------------- HOST: NAME: LOC-IP: NATT: XAUTH: AUTH: HASH: DH: CIPHER: REM-IP: SIDE: MODE-CFG: XAUTH-USER: XAUTH-PWD: ---------------------------------------------------------------------------- 1 SOFTMEDIDC 012.034.065.078 SYS NO PSK MD5 MODP1024 3DES xxx.xxx.xxx.xxx INSIDE NO ---------------------------------------------------------------------------- 2 SOFTMEDLAB 012.034.065.078 SYS NO PSK MD5 MODP1024 3DES xxx.xxx.xxx.xxx INSIDE NO ---------------------------------------------------------------------------- 3 SOFTMEDBCK 012.034.065.078 SYS NO PSK MD5 MODP1024 3DES xxx.xxx.xxx.xxx INSIDE NO ---------------------------------------------------------------------------- 4 MATTEO 012.034.065.078 SYS NO PSK MD5 MODP1024 3DES xxx.xxx.xxx.xxx INSIDE NO ---------------------------------------------------------------------------- 5 SMHOUSING 012.034.065.078 SYS NO PSK MD5 MODP1024 3DES xxx.xxx.xxx.xxx INSIDE NO ---------------------------------------------------------------------------- [19:45:07] ABILIS_CPX:d ike cli---------------------------------------------------------------------------- CLI: NAME: HOST-ID: RULE: LIFE-TIME: PFS: ESP: ESP-CIPHER: ESP-AUTH: PASSIVE: PERMANENT: NET-LOC: AH: AH-AUTH: TUNNEL: NET-REM: MODE-CFG-DNS: ---------------------------------------------------------------------------- 1 NAME1 1 IPSEC 28800 NO YES DES MD5 NO YES 192.168.002.064/28 NO MD5 YES 192.168.010.000/24 SYS ---------------------------------------------------------------------------- 2 NAME2 2 IPSEC 28800 NO YES DES MD5 NO YES 192.168.002.064/28 NO MD5 YES 192.168.011.010/32 SYS ---------------------------------------------------------------------------- 3 NAME3 3 IPSEC 86400 NO YES DES MD5 NO YES 192.168.002.064/28 NO MD5 YES 192.168.014.000/24 SYS ---------------------------------------------------------------------------- 4 NAME4 4 IPSEC 86400 NO YES DES MD5 NO NO 192.168.002.064/28 NO MD5 YES 172.016.015.000/24 SYS ---------------------------------------------------------------------------- 5 NAME5 5 IPSEC 86400 NO YES DES MD5 NO YES 192.168.002.064/28 NO MD5 YES 192.168.026.102/32 SYS ----------------------------------------------------------------------------
Create a list of private ip and a list of public ip:
[19:41:14] ABILIS_CPX:d list:PrivateIpLIST:PrivateIp - IR 010.000.000.000:010.255.255.255 172.016.000.000:172.031.255.255 192.168.000.010:192.168.255.255 [19:41:22] ABILIS_CPX:d list:PublicIpLIST:PublicIp - RU NOT.PrivateIp
Exclude private ip addresses from the NAT rule used by the tunnel setting the
DNET parameter to 'PublicIp':
[19:41:28] ABILIS_CPX:d nat
UPNP maps not present
Configured maps
----------------------------------------------------------------------------
PR: [DESCR:]
INAT: ADD: SNET: DNET: ANET:
ONAT: SPO: DPO: APO:
PAT:
SIP: DIP: PROT: TOUT:
----------------------------------------------------------------------------
0 IN SRC 192.168.002.064/28 192.168.001.001/32 Ip-1
OUT * * AUTO
YES
----------------------------------------------------------------------------
1 IN SRC 192.168.002.064/28 'PublicIp' Ip-3
OUT * * AUTO
YES
----------------------------------------------------------------------------| |  | |
| 72.7. Tunnelling |  | 72.9. CTISMS |