IPsec - NAT before IPsec

Index

• IPsec - NAT before IPsec

  • Network topology

  • Preparations

  • Add manual security policies

  • Configure NAT

Network topology

The schema below describes the situation we are implementing. Two networks (A,B) to peer both firewalls, where the Ipsec policy includes 10.1.0.0/24 <-> 192.168.1.0/24, but locally side A uses 10.99.0.0/24.

How to setup the tunnel itself is explained in the IPsec - Policy based public key setup document.

Preparations

Make sure the tunnel is up and running before trying out the NAT part, then edit the child entry and input a Reqid there which isn’t used in any of the other tunnels. For this example we choose 100 here.

Note

It’s imperative to choose a static number here in order to be able to bind policies to the current tunnel.

Add manual security policies

In order for IPsec to trust the local network (10.99.0.0/24) a manual policy needs to be added, go to the “Manual” tab in VPN->IPsec->Security Policy Database. Next add a new entry containing the following items:

---

Property	site A
Reqid	100
Source network	10.0.99.0/24

Tip

When the “Destination network” is left empty, the other end (in this case 192.168.1.0/24) will be received from the tunnel. In case multiple networks exist in the same child policy it’s better to define which one this entry belongs too.

Tip

After changing manual security policies, make sure the tunnel is reconnected (restart or disconnect and connect) as the registration is being arranged using an updown event

Note

Some scenario’s require multiple clients being connected to the same “child” (such as mobile), when the other end pushes it’s network (destination), it is possible to hook to the correct connection by connecting the manual policy directly to the connection child. In these cases the reqid is dynamic (leave blank) in the connection child. The “Child” option can be used for these manual policies.

Configure NAT

To map the networks, we will use a one to one rule created from the Firewall->NAT->One-to-One menu option. The following settings apply here:

---

Property	site A	Notes
Interface	IPsec
Type	BINAT	Two way mapping
External network	10.1.0.0	As defined in the child connection
Source	10.99.0.0/24	The local network
Destination	192.168.1.0/24	The remote network

Note

When using BINAT all networks need to be equally sized (/24 in this case)