Skip to main content
KPS
KPS
New Member
November 13, 2018
Question

IPSEC - NAT all the traffic to VPN

  • November 13, 2018
  • 1 reply
  • 5458 views

Hi!

 

I am just trying to setup a new VPN, but cannot get it in a working condition...

 

Goal is: NAT all the traffic from internal to remote-net 172.16.1.0/24 to source-ip 192.168.99.1 and send it to VPN.

 

Tunnel is configured and up.

Phase 1 is running.

Phase 2 is configured as: 192.168.99.0/24 to 172.16.1.0/24

Firewall-Policy: Internal to VPN-Tunnel, ANY, ANY, Allow - with NAT

 

VPN-Tunnel comes up, but there seems to be no data sent into the tunnel.

 

Can you give me a hint, about what I am missing?

 

Thank you for your help!!

KPS

1 reply

emnoc
emnoc
New Member
November 13, 2018

You are  masking all behind  the 192.168.99.0/24?   If yes ensure the  src/dst-subnets allows for   SRC 192.168.99.0/24 and the DST-SUBNET { at the remote site  is correct }

 

I didn't quite understand the following 

 Phase 2 is configured as: 192.168.99.0/24 to 172.16.1.0/24
 

 

Can you  copy out the vpn phase2 settings and post them here ?

 

Ken Felix

 

KPS
KPSAuthor
New Member
November 13, 2018

Hi!

 

Thank you for your answer!

 

<code>

config vpn ipsec phase2-interface

 (phase2-interface) # show config vpn ipsec phase2-interface edit "XXX-VPN" set phase1name "XXX-VPN" set proposal aes256-sha256 set dhgrp 14 set keepalive enable set keylifeseconds 3600 set src-subnet 192.168.99.0 255.255.255.255 set dst-subnet 172.16.1.0 255.255.255.0 next end

</code>

 

Interface-IP on XXX-VPN is: 192.168.99.1

Firewall-Policy is: Allow everything to XXX-VPN WITH NAT.

 

Thank you for your help!

emnoc
emnoc
New Member
November 13, 2018

is "set dst-subnet 172.16.1.0 255.255.255.0" at the destination ? And  are sure the internal lans are  being SNAT behind  192.168.99.1 ?

 

So you should have interface XXX-VPN, run a diag sniffer packet  XXX-VPN   "dst net 172.16.1" and do you see traffic?  Also have you  validate the routing for the destination network ?

 

  get router info routing all |  grep 172.16.1

 

 

ken Felix

 

Terms & ConditionsAccessibility statement