The customer have two USG6310, they want to configure the site-to-site IPSec so that the branch can communicate with the HQ.
The topology just as below:
They used the default parameter of IPSec and they can see that session have been established between the two FW.
Then they used the PC1 to ping the server, it shows request time out.
First we checked the IPSec SA and the IKE SA, on the branch Firewall it shows as below:
From the IPSec SA we can know that the branch data have been encrypted and send out, but there are no data come back.
We used the PC1 to ping the Server, on the branch Firewall, we can see the esp session and the icmp session.
Then we check the HQ Firewall session, we found that there are no icmp session and the esp session is abnormal.
The esp session shows that the destination IP have been translated to one internal server IP.
After the customer delete the NAT-Server configuration the IPSec service is normal.
The customer used the interface IP which used to establish the IPSec session to configure NAT-Server, when the IPSec data come from the peer device it will be forwarded to the internal server.
when you configure the IPSec you can't use the interface IP to configure the NAT-Server, it will cause the IPSec service can't work.