SNAT over IPSec -- No traffic through IPSec Tunnel

Question

Hello everyone, 
 I have a question regarding SNAT over an IPSec Tunnel. We have the following configuration: 
 
 Localsubnet: 
 10.248.178.xxx/32 --> NAT: All our communication has to go through this ip. 
 
 RemoteSubnet: 
 195.200.xxx.1/24 
 
 The Tunnel iniates and the SA's are online

It's working if i I do a 1:1 NAT

But we have to do the followoing: 
 All our Networks (not just 1) must use an IP of the Local Subnet if they want to communicate with the remote Subnet. We've build a firewall rule with masquarading (eg: used IP = 10.248.178.xxx)

This does not seem to work. The traceroute is telling us the Packages wont go through the Tunnel but the route Lookup is recognisizing that the IP we are trying to communicate with is behind an IPSec Tunnel. 
 
 Can you help me with finding a solution to this problem?

RickardNordahl · Accepted Answer

They way to get it to work is the following. 
 
 In the IPsec tunnel under VPN, Remove all NAT settings, just add it as a normal tunnel without nat. 
 
 Log in the the CLI of the firewall and selct option 4 and add a Ipsec route entry for the network you would like to access. 
 
 system ipsec_route add net 195.200.xxx.0/255.255.255.0 tunnelname "the name of the tunnel" Remove the " when using the command. 
 
 Add a firewall rule the uses NAT with that IP-address and have all the networks that should go in to that tunnel in the rule. 
 
 //Rickard

LuCar Toni · Answer

Just to refresh this topic: XGv18 supports a SNAT within the IPsec Tunnel. 
 Simply use a custom object, not MASQ in the NAT Rule.

SNAT over IPSec --> No traffic through IPSec Tunnel