local NAT in VPN

Hi

I'm setting op a Firebox to replace an ASA. It has a single BOVPN to at remote site. Remote site is also running and ASA.

We have P1 up and runing, but P2 keeps failing.

I have local IP set to a /28-network that the remote end wants to access and 1-1 NAT to a matching /28 network where the first address is the address (.1) of the server they are acessing.

The tunnel says:
Tunnel 'tunnel.32.11' - Message retry timeout. Check VPN IKE diagnostic log messages for more information. (12:41:32 11.10.2019)

The remote and initiating end gets: "Received non-routine Notify Message: No Proposal chosen 14"

The Debug gives me:
Error Messages for gateway: gateway.32.11
Oct 11 12:41:28 2019 ERROR 0x020513a0 No matching tunnel route for peer proposed local: x.26.5.96/28 remote: x.96.220.0/24

and
Number of Tunnel Routes: "1"
#1
Direction: "BOTH"
"x.26.5.96/28(1-1NAT Invalid Address Type(0))<->x.96.220.0/24"
Stored user messages:
Oct 11 12:41:32 2019 ERROR 0x0205000b Message retry timeout. Check VPN IKE diagnostic log messages for more information.

I dont have experience with NAT in tunnels. Can anyone help?

Comments

  • With a BOVPN with 1-to-1 NAT - the IP addr of packets being sent to the remote site appears to come from the NATed IP addrs.

    It appears to me that you are trying to do the reverse.

    Consider opening a support incident so that a WG rep can help you get this working.

Sign In to comment.