Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Routing and NAT for IPsec tunnels

The firewall offers different types of routing and Network Address Translation (NAT) configurations for IPsec VPN.

Choose the configuration type based on your IPsec connection and the traffic you want to send through the tunnel.

Routing configurations

NAT rules don't change the firewall's routing decision. The firewall needs a route to the target destination.

You can specify the route using one of the following configurations:

  • VPN routes: The firewall automatically creates these routes at the backend for policy-based IPsec connections.
  • Static, SD-WAN, and dynamic routes.
  • The ipsec_route command on the CLI.

The routing precedence set on the CLI determines the type of route the firewall tries to match first. See Routing.

NAT configurations

You can configure NAT using one of the following configurations:

  • IPsec connections: These include NAT settings.
  • NAT rules.
  • The sys-traffic-nat command on the CLI: You must use this for system-generated traffic. It's the traffic generated by the firewall itself, such as authentication and DHCP.

Use cases

Note

You must add both routing and NAT configurations to send the traffic shown in the table through an IPsec tunnel.

See the following table for the type of routing and NAT configurations you must add:

Route-based VPN

(any to any subnets)

Policy-based VPN
Traffic to a host through existing IPsec tunnel
  1. Static, SD-WAN, dynamic routes
  2. DNAT rule and optional SNAT (MASQ) rule.
See Send remote network's traffic through existing IPsec tunnel to specific hosts.
  1. ipsec_route command
  2. DNAT rule
See Use NAT rules in an existing IPsec tunnel to connect a remote network.
System-generated traffic: Authentication
  1. SD-WAN route with Source networks set to Any.
  2. sys-traffic-nat command
See Route authentication queries.
  1. ipsec_route command
  2. sys-traffic-nat command
See Route authentication queries.
System-generated traffic: DHCP relay Currently, the firewall doesn't send DHCP relay information through route-based VPNs.
  1. ipsec_route command
  2. sys-traffic-nat command
See HO firewall as DHCP server and BO firewall as relay agent.

See Send DHCP traffic over policy-based IPsec VPN to servers.

Same subnets on the local and remote firewalls
  1. Static, SD-WAN, dynamic routes
  2. DNAT rule and SNAT rule
See NAT with route-based IPsec when local and remote subnets are the same.
  1. VPN route at the backend
  2. NAT setting in IPsec configuration
See NAT with policy-based IPsec when local and remote subnets are the same.