Setting up IPsec vpn with NAT involved and traffic is not passing

blason16 · November 12, 2025, 2:10am

Hi Team,

I am first time trying to set the IPsec vpn on vyos to vyos where source NAT is involved. I have natred my LH Subnet behing source IP but the traffic is not reaching RH subnets.

Here is my scenario

RH Subnet : 10.10.14.0/24

LH Subnet : 10.10.13.0/24

RH Peer is : 10.10.12.30

LH Peer is : 10.10.12.12

LH Subnet is source natted behind 100.65.1.1. Here is my config let me know if I have done anything wrong?

R1 config

set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '3600'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group5'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE close-action 'none'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev2'
set vpn ipsec ike-group IKE lifetime '28800'
set vpn ipsec ike-group IKE proposal 1 dh-group '5'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.10.12.30 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.10.12.30 authentication pre-shared-secret 'admin@123'
set vpn ipsec site-to-site peer 10.10.12.30 authentication remote-id '10.10.12.30'
set vpn ipsec site-to-site peer 10.10.12.30 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.10.12.30 ike-group 'IKE'
set vpn ipsec site-to-site peer 10.10.12.30 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.10.12.30 local-address '10.10.12.12'
set vpn ipsec site-to-site peer 10.10.12.30 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 10.10.12.30 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 10.10.12.30 tunnel 1 esp-group 'ESP'
set vpn ipsec site-to-site peer 10.10.12.30 tunnel 1 local prefix '100.65.1.1/32'
set vpn ipsec site-to-site peer 10.10.12.30 tunnel 1 remote prefix '10.10.14.0/24'
set nat source rule 100 destination address '10.10.14.0/24'
set nat source rule 100 outbound-interface 'any'
set nat source rule 100 source address '10.10.13.0/24'
set nat source rule 100 translation address '100.65.1.1'

R2 Config

set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '3600'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group5'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE close-action 'none'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev2'
set vpn ipsec ike-group IKE lifetime '28800'
set vpn ipsec ike-group IKE proposal 1 dh-group '5'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer 10.10.12.12 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.10.12.12 authentication pre-shared-secret 'admin@123'
set vpn ipsec site-to-site peer 10.10.12.12 authentication remote-id '10.10.12.12'
set vpn ipsec site-to-site peer 10.10.12.12 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.10.12.12 ike-group 'IKE'
set vpn ipsec site-to-site peer 10.10.12.12 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.10.12.12 local-address '10.10.12.30'
set vpn ipsec site-to-site peer 10.10.12.12 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 10.10.12.12 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 10.10.12.12 tunnel 1 esp-group 'ESP'
set vpn ipsec site-to-site peer 10.10.12.12 tunnel 1 local prefix '10.10.14.0/24'
set vpn ipsec site-to-site peer 10.10.12.12 tunnel 1 remote prefix '100.65.1.1/32'

blason16 · November 12, 2025, 5:27pm

Has anyone faced this issue before? or has anyone set the tunnel with NATTING enabled?

tjh · November 12, 2025, 7:12pm

Unsure why you’re setting local prefix to your NAT’d address?

Try set vpn ipsec site-to-site peer 10.10.12.30 force-udp-encapsulation on each side (updating the IP address for R2)

I haven’t a site-to-site on VyOS so I’m only having a guess here, but yea I don’t understand why you’ve set that /32 instead of the 10.10.13.0/24

blason16 · November 13, 2025, 2:07am

So local should be actual range right? then wondering how come NAT traffic will be sent to in IPsec?

tjh · November 13, 2025, 2:26am

You want to send traffic from 10.10.14.0/24 to 10.10.13.0/24 - yes?

blason16 · November 13, 2025, 3:20am

traffic from 13.0 to 14.0 hidden behind 100.65.1.1 on LH side

blason16 · November 13, 2025, 3:39am

I guess that is not possible with Policy based tunnel with VYOS? may be Route-based tunnel?

tjh · November 13, 2025, 3:48am

I’m sorry I don’t understand what you’re trying to achieve. Forget NAT etc, what traffic flow(s) are you trying to encrypt with IPSEC?

blason16 · November 13, 2025, 3:53am

Ok -

traffic from 10.10.13.0/24 (LH Router) —> (RHRouter) 10.10.14.0/24

Source 10.10.13.0/24 Natted Behind 100.65.1.1.

Here is a diagram

16again · November 16, 2025, 12:26pm

This requires a source NAT rule on WAN interface, translating outgoing traffic sourced from 10.10.13.x into 100.65.1.1. Which is present.
Also your local/remote prefixes are correct.

Normally, ipsec tunnels require a NAT exclude rule. (WAN most times has masquerade enabled) Does IPSEC create such rule automagically? It might clash with your NAT rule.

While pinging from LAN to remote, inspect NAT connection table in VyOS

blason16 · November 17, 2025, 5:14pm

I tried that but no luck - and can we achieve this scenario with policy based tunnel? or I need to use route based tunnels only?