What is the coorect IPsec settings to work with particular NAT

Dear Forum,
I've got L2TP/IPsec setup and enable me to connect to my LAN from outside. My gateway IP is:,however when I try to connect to WAN (through port 80) it loopsback to internal address due to the NAT settings of redireting to the web server.

I wonder what is a better setup that enable me to conenct to WAN correctly without shutdown the NAT.

Could someone shed some light on this, thanks

One concise page I quickly found is


If I understand properly the problem is that when you are connecting remotely to your home router (let's call it that way) and you try to open the web page of the router on port 80, you are redirected to some other host in the LAN due to some DNAT rule.
Is that correct so far?

precisely !

Thanks for the hint, had a read of the article. It seems the NAT-T has to be set for my purpose. However, by flipping through StrongSwan manual,NAT-T is automaticlly set, it is not configurable. checking my firewall configuration

config rule 'ipsec_nat_traversal'
option src 'wan'
option name 'IPSec NAT-T'
option proto 'udp'
option dest_port '4500'
option target 'ACCEPT'
it also seems enabled

Is there any more detailed instuctions regarding this ?

Does it work if you try to connect on the LAN IP address of the router?

yes, It works. I can reach the Router via local IP address, but it was then redicrected to my web server due to NAT existing.

So basically it is not working as you'd wish :grin:
Try the following:
In the DNAT rule configure src_dip (in Luci it is named "External IP Address") with the IP of the WAN interface. This is usually empty so DNAT is applied to all the interfaces of the WAN zone. With this modification I hope it won't apply when you hit the LAN IP address, even though you come from the WAN zone.

1 Like

Hi, trendy. It worked ! the only left question is that I dont have publich IP (using DDNS), Do I have to manully change this IP address from time to time ?

That would be one not so convenient solution. You could setup a script to automatically update the renewed WAN IP in the DNAT rule.
I don't know if you can assign the IPSEC to an interface that will belong to the LAN firewall zone.
If not give Wireguard or OpenVPN a try, which can be assigned to LAN firewall zone.

seems a bit annoying, but I can settle on this for now. thanks again for the great help.

Just an idea. If your packets source from a specific IP or IP range, you could add a firewall rule in prerouting_wan_rule chain with target "ACCEPT" in order to stop further traversing of the packet in the same table.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.