Overview

While trying to set up access to the IPSec VPN network over the VLAN port, it might be needed to configure NATed traffic. In such a scenario, the remote part is accepting the traffic from a non-standard port. Debug logs with "Packets dropped for some reason" enabled may show the following line:

{pktdrop} packet dropped: cannot perform NAT, desired interface is down (from VLAN 2 - WLAN Company, proto:ICMP, len:60, 10.10.2.29 -> 172.26.X.X, type:8 code:0 id:1 seq:229 ttl:128)

When accessing the remote network from the regular LAN port, the connection is established successfully.

This article provides information on how to configure Kerio Control traffic rules for such an environment.

Solution

Since VLAN2 is connected to port 3 and not to port 1 (LAN247 interface), it's necessary to create 2 traffic rules.

In Kerio Control administration, create 2 separate traffic rules with the following content:

Source: Port3 - WLAN UBIQITI
Destination: LAN247
Service: Any
IP version: Any
Action: Allow
Translation: <blank>

Source: VLAN 2 - WLAN Company, 10.10.2.0/24
Destination: VNet1toSite1
Service: Any
IP version: Any
Action: Allow
Translation: NAT (LAN247)