Hi al,
this particular config is bothering me alot.
set security policies from-zone untrust to-zone DMZ policy test-in match source-address x.x.242.48/32 set security policies from-zone untrust to-zone DMZ policy test-in match destination-address 172.30.136.2/32 set security policies from-zone untrust to-zone DMZ policy test-in match application any set security policies from-zone untrust to-zone DMZ policy test-in then permit tunnel ipsec-vpn test set security nat destination pool test-ser address 192.168.150.160/32 set security nat destination rule-set test-vpn from zone untrust set security nat destination rule-set test-vpn rule test-vpn match source-address x.x.242.48/32 set security nat destination rule-set test-vpn rule test-vpn match destination-address 172.30.136.2/32 set security nat destination rule-set test-vpn rule test-vpn then destination-nat pool test-ser set security ike proposal pre-g2-3des-sha1-test description pre-g2-3des-sha1-test set security ike proposal pre-g2-3des-sha1-test authentication-method pre-shared-keys set security ike proposal pre-g2-3des-sha1-test dh-group group2 set security ike proposal pre-g2-3des-sha1-test authentication-algorithm sha1 set security ike proposal pre-g2-3des-sha1-test encryption-algorithm 3des-cbc set security ike proposal pre-g2-3des-sha1-test lifetime-seconds 86400 set security ike policy test mode main set security ike policy test proposals pre-g2-3des-sha1-test set security ike policy test pre-shared-key ascii-text "shared key" set security ike gateway test ike-policy test set security ike gateway test address xx.xx.xx.1xx set security ike gateway test external-interface reth1 set security ipsec proposal g2-esp-3des-sha1-test description g2-esp-3des-sha1-test set security ipsec proposal g2-esp-3des-sha1-test protocol esp set security ipsec proposal g2-esp-3des-sha1-test authentication-algorithm hmac-sha1-96 set security ipsec proposal g2-esp-3des-sha1-test encryption-algorithm 3des-cbc set security ipsec proposal g2-esp-3des-sha1-test lifetime-seconds 3600 set security ipsec policy test proposals g2-esp-3des-sha1-test set security ipsec vpn test ike gateway test set security ipsec vpn test ike ipsec-policy test
I know that when vpn traffic arives on peer. it will match with SPI.
which in turn tells the algorithm to decrypt.
and then you have the decrypted packet.
But this particular config is working. ipsec config and policy make sense to me. but that dnat. i m not able to understand the flow of it.
In policy based vpn. the reverse flow will decrypt and will use the secuirty policy which assosiated with ipsec vpn to allow or deny the traffic. if you can see it has natted ip in secuirty policy . where as it is doing dnat to a a real ip...
can anyone connects dots to me. m not able to grasp the bigger picture here.
Thanks alo