I, like many people are setting up an L2TP/IPSEC VPN. Thus far, I have:
- Created the PPP user and address pool
- Created the IPSEC policy with generate policy 0.0.0.0/0
- Set up the L2TP server
- Added accept rules on the input chain for ports 500,1701 and 4500, as well as protocols 50 and 51.
My routing is such that I have a local 10/16 address space on the Internal LAN interface, a 192.168.224/24 on the DMZ and my static IP space assigned by my ISP on the WAN interface. Obviously, source NAT is involved, and I just say “Source NAT anything going out the WAN interface to this address”
When I test the service on the local interface, everything sets up and runs as expected, but, using the WAN side and a client on the Internet, I see that we set up the IPSEC, and then L2TP says it never gets beyond SSRQ. I’m pretty certain NAT is getting in the way as IPSEC oocurs after NAT (it appears so at least). That would explain why internal tests work – no NAT.
But how do I write a NAT rule that says “anything going out the WAN interface gets source NATed except IPSECd traffic” because I don’t know the destination IP – it’s from the Internet and its policy is 0.0.0.0/0.