S2S VPN with multiple source NAT

mauros · ‎02-28-2020

Hello,

I need to setup a VPN with a partner. We agreed for two subnets that are not in conflict with both mine and their internal networks:

my side: 172.24.1.8/29

their side: 172.24.1.0/29

They identify both networks as IP-Pools and in the doc they sent me, I read that on my side "internal network should be hidden behind 172.24.1.9/32"

At the end, my hosts should be able to reach 172.24.1.1 and 172.24.1.2 on the remote side.

I configured the tunnel with these two networks in the phase2, but I suppose it's not enough... should I configure a pool?

And (second step): I have several internal networks that I want to be able to communicate with the remote site, the 172.24.1.8/29 actually is only defined as address for routing but my clients are on other networks. Which part of the configuration should be changed to allow this?

Thanks

(200D)

Toshi_Esumi · ‎02-28-2020

I saw almost the same post this month or last month and commented. NATing on an IPsec VPN is nothing different from NATing on a regular interface because you must have setup an interface-mode/route based IPSec. Either setting the SNAT IP(172.24.1.9/32) on the VPN interface to use for the NAT or if it's already occupied with a different peer tunnel IP setting an IP pool with the SNAT IP would do the NAT.

Of course you need to have a proper route for the destination and adjust the policy if it's limiting src/dst addresses.

For the second part, your description of the requirement is not clear but what you need to to would be similar to the first part.

S2S VPN with multiple source NAT

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website