EdgeRouter - Site-to-Site IPsec VPN with Many-to-Many Source NAT
Overview
Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN while also translating the traffic using Many-to-Many Source NAT.
Table of Contents
- Frequently Asked Questions (FAQ)
- Configuring a Policy-Based VPN with Many-to-Many Source NAT
- Related Articles
Frequently Asked Questions (FAQ)
1. What Site-to-Site IPsec VPN types can be configured on EdgeOS?
The following IPsec VPN types can be configured on EdgeOS:
|
2. What are the available encryption and hashing options for IKE and ESP?
Encryption
Hashing
|
3. What Site-to-Site VPN types are compatible with Many-to-Many NAT?
Policy-Based, Route-Based and GRE over IPsec Site-to-Site VPNs are compatible with Many-to-Many NAT. |
Configuring a Policy-Based VPN with Many-to-Many Source NAT
The 192.168.1.0/24 subnet on both routers will be translated to the 10.0.1.0/24 and 172.16.1.0/24 ranges using Source NAT.
In the example, both EdgeRouters use 192.168.1.0/24 as the local network range. This presents a unique problem when a Site-to-Site VPN is needed between the sites as well. Source and Destination NAT are used to translate internet network to different IP address ranges over the VPN.
There are NAT four address types, which can be viewed in the NAT translation table:
-
Pre-NAT source
The local IP address before NAT translation. -
Post-NAT source
The local IP address after NAT translation. -
Pre-NAT destination
The remote IP address before NAT translation. -
Post-NAT destination
The remote IP address after NAT translation.
show nat translations source detail
Pre-NAT src Pre-NAT dst Post-NAT src Post-NAT dst
192.168.1.10:3712 172.16.1.10:3389 10.0.1.10:3712 172.16.1.10:3389
192.168.1.11:1058 172.16.1.10:3389 10.0.1.11:1058 172.16.1.10:3389
1. Enter configuration mode.
configure
2. Disable the auto-firewall-nat-exclude feature.
set vpn ipsec auto-firewall-nat-exclude disable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs).
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the remote peering address (replace <secret> with your desired passphrase).
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
6. Link the SAs created above to the remote peer and define the local and remote subnets.
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0/24
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 10.0.1.0/24
7. Add firewall rules for the IPsec traffic to the WAN_LOCAL firewall policy.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 source address 172.16.1.0/24
set firewall name WAN_LOCAL rule 60 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
8. Add a firewall rule for the IPsec traffic to the WAN_IN firewall policy.
set firewall name WAN_IN rule 60 action accept
set firewall name WAN_IN rule 60 description ipsec
set firewall name WAN_IN rule 60 source address 172.16.1.0/24
set firewall name WAN_IN rule 60 destination address 192.168.1.0/24
set firewall name WAN_IN rule 60 log disable
set firewall name WAN_IN rule 60 ipsec match-ipsec
9. Add a Source NAT rule that translates the internal range to the local VPN range.
set service nat rule 5000 destination address 172.16.1.0/24
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 outside-address address 10.0.1.0/24
set service nat rule 5000 protocol all
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type source
10. Add a Destination NAT rule that translates the remote VPN range to the internal range.
set service nat rule 4000 destination address 10.0.1.0/24
set service nat rule 4000 inbound-interface eth0
set service nat rule 4000 inside-address address 192.168.1.0/24
set service nat rule 4000 protocol all
set service nat rule 4000 source address 172.16.1.0/24
set service nat rule 4000 type destination
11. Commit the changes and save the configuration.
commit ; save
1. Enter configuration mode.
configure
2. Disable the auto-firewall-nat-exclude feature.
set vpn ipsec auto-firewall-nat-exclude disable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs).
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the remote peering address (replace <secret> with your desired passphrase).
set vpn ipsec site-to-site peer 203.0.113.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 203.0.113.1 description ipsec
set vpn ipsec site-to-site peer 203.0.113.1 local-address 192.0.2.1
6. Link the SAs created above to the remote peer and define the local and remote subnets.
set vpn ipsec site-to-site peer 203.0.113.1 ike-group FOO0
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote prefix 10.0.1.0/24
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local prefix 172.16.1.0/24
7. Add firewall rules for the IPsec traffic to the WAN_LOCAL firewall policy.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 source address 10.0.1.0/24
set firewall name WAN_LOCAL rule 60 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
8. Add a firewall rule for the IPsec traffic to the WAN_IN firewall policy.
set firewall name WAN_IN rule 60 action accept
set firewall name WAN_IN rule 60 description ipsec
set firewall name WAN_IN rule 60 source address 10.0.1.0/24
set firewall name WAN_IN rule 60 destination address 192.168.1.0/24
set firewall name WAN_IN rule 60 log disable
set firewall name WAN_IN rule 60 ipsec match-ipsec
9. Add a Source NAT rule that translates the internal range to the local VPN range.
set service nat rule 5000 destination address 10.0.1.0/24
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 outside-address address 172.16.1.0/24
set service nat rule 5000 protocol all
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type source
10. Add a Destination NAT rule that translates the remote VPN range to the internal range.
set service nat rule 4000 destination address 172.16.1.0/24
set service nat rule 4000 inbound-interface eth0
set service nat rule 4000 inside-address address 192.168.1.0/24
set service nat rule 4000 protocol all
set service nat rule 4000 source address 10.0.1.0/24
set service nat rule 4000 type destination
11. Commit the changes and save the configuration.
commit ; save
Related Articles
EdgeRouter - Site-to-Site IPsec VPN with Many-to-One Source NAT
EdgeRouter - Policy-Based Site-to-Site IPsec VPN
Intro to Networking - How to Establish a Connection Using SSH