IPsec - NAT before IPsec¶
Index
Network topology¶
The schema below describes the situation we are implementing.
Two networks (A,B) to peer both firewalls, where the Ipsec policy includes 10.1.0.0/24 <-> 192.168.1.0/24
,
but locally side A uses 10.99.0.0/24
.
How to setup the tunnel itself is explained in the IPsec - Policy based public key setup document.
Preparations¶
Make sure the tunnel is up and running before trying out the NAT part, then edit the child entry and input a Reqid
there which isn’t used in any of the other tunnels. For this example we choose 100
here.
Note
It’s imperative to choose a static number here in order to be able to bind policies to the current tunnel.
Add manual security policies¶
In order for IPsec to trust the local network (10.99.0.0/24
) a manual policy needs to be added, go to
the “Manual” tab in . Next add a new entry containing the following items:
Property |
site A |
---|---|
Reqid |
100 |
Source network |
10.0.99.0/24 |
Tip
When the “Destination network” is left empty, the other end (in this case 192.168.1.0/24) will be received from the tunnel. In case multiple networks exist in the same child policy it’s better to define which one this entry belongs too.
Tip
After changing manual security policies, make sure the tunnel is reconnected (restart or disconnect and connect) as the registration is being arranged using an updown event
Configure NAT¶
To map the networks, we will use a one to one rule created from the
menu option. The following settings apply here:Property |
site A |
Notes |
---|---|---|
Interface |
IPsec |
|
Type |
BINAT |
Two way mapping |
External network |
10.1.0.0 |
As defined in the child connection |
Source |
10.99.0.0/24 |
The local network |
Destination |
192.168.1.0/24 |
The remote network |
Note
When using BINAT all networks need to be equally sized (/24
in this case)