Routing and NAT for IPsec tunnels
The firewall offers different types of routing and Network Address Translation (NAT) configurations for IPsec VPN.
Choose the configuration type based on your IPsec connection and the traffic you want to send through the tunnel.
Routing configurations
NAT rules don't change the firewall's routing decision. The firewall needs a route to the target destination.
You can specify the route using one of the following configurations:
- VPN routes: The firewall automatically creates these routes at the backend for policy-based IPsec connections.
- Static, SD-WAN, and dynamic routes.
- The ipsec_routecommand on the CLI.
The routing precedence set on the CLI determines the type of route the firewall tries to match first. See Routing.
NAT configurations
You can configure NAT using one of the following configurations:
- IPsec connections: These include NAT settings.
- NAT rules.
- The sys-traffic-natcommand on the CLI: You must use this for system-generated traffic. It's the traffic generated by the firewall itself, such as authentication and DHCP.
Use cases
Note
You must add both routing and NAT configurations to send the traffic shown in the table through an IPsec tunnel.
See the following table for the type of routing and NAT configurations you must add:
| Route-based VPN (any to any subnets) | Policy-based VPN | |
|---|---|---|
| Traffic to a host through existing IPsec tunnel | 
 | 
 | 
| System-generated traffic: Authentication | 
 | 
 | 
| System-generated traffic: DHCP relay | Currently, the firewall doesn't send DHCP relay information through route-based VPNs. | 
 See DHCP server behind HO firewall and BO firewall as relay agent. | 
| Same subnets on the local and remote firewalls | 
 | 
 |