• Packet capture shows packet getting NAT'd and do not get encrypted.

• When there is a matching VPN (encrypt) and SNAT rule, the VPN has to take precedence and SNAT should not happen. But when firewall is disabled, it is noticed that SNAT is happening, and if there is no matching VPN encrypt rule, packets will get routed as unencrypted traffic.

VMware NSX

VPN encrypt rules are also realized as Firewall rules in the NSX Edge, when there is matching NAT rule, further firewall rule lookup is not being done if firewall is disabled, this is causing missing VPN encrypt rule lookup.

This issue is resolved in VMware NSX 9.0.2.0.

Workaround:

Configure additional NO-SNAT rule for the VPN inner subnets with higher priority than SNAT rule.