IPsec - NAT before IPsec

Network topology

The schema below describes the situation we are implementing. Two networks (A,B) to peer both firewalls, where the Ipsec policy includes <->, but locally side A uses

How to setup the tunnel itself is explained in the IPsec - Policy based public key setup document.


Make sure the tunnel is up and running before trying out the NAT part, then edit the child entry and input a Reqid there which isn’t used in any of the other tunnels. For this example we choose 100 here.


It’s imperative to choose a static number here in order to be able to bind policies to the current tunnel.

Add manual security policies

In order for IPsec to trust the local network ( a manual policy needs to be added, go to the “Manual” tab in VPN->IPsec->Security Policy Database. Next add a new entry containing the following items:


site A



Source network


When the “Destination network” is left empty, the other end (in this case will be received from the tunnel. In case multiple networks exist in the same child policy it’s better to define which one this entry belongs too.


After changing manual security policies, make sure the tunnel is reconnected (restart or disconnect and connect) as the registration is being arranged using an updown event


Some scenario’s require multiple clients being connected to the same “child” (such as mobile), when the other end pushes it’s network (destination), it is possible to hook to the correct connection by connecting the manual policy directly to the connection child. In these cases the reqid is dynamic (leave blank) in the connection child. The “Child” option can be used for these manual policies.

Configure NAT

To map the networks, we will use a one to one rule created from the Firewall->NAT->One-to-One menu option. The following settings apply here:


site A






Two way mapping

External network

As defined in the child connection


The local network


The remote network


When using BINAT all networks need to be equally sized (/24 in this case)