EdgeRouter - Site-to-Site IPsec VPN with Many-to-One Source NAT
Overview
Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN while also translating the traffic using Many-to-One Source NAT.
Table of Contents
- Frequently Asked Questions (FAQ)
- Configuring a Policy-Based VPN with Many-to-One Source NAT
- Related Articles
Frequently Asked Questions (FAQ)
1. What Site-to-Site IPsec VPN types can be configured on EdgeOS?
The following IPsec VPN types can be configured on EdgeOS:
|
2. What are the available encryption and hashing options for IKE and ESP?
Encryption
Hashing
|
3. What is the difference between Many-to-One NAT, PAT (Port Address Translation), Masquerade and NAT Overload?
All of these are just different names for the same NAT feature, which translates multiple internal addresses to a single outside address. |
4. What Site-to-Site VPN types are compatible with Many-to-One NAT?
Policy-Based, Route-Based and GRE over IPsec Site-to-Site VPNs are compatible with Many-to-One NAT. |
Configuring a Policy-Based VPN with Many-to-One Source NAT
The 192.168.1.0/24 subnet will be translated to the 10.0.255.1 address using NAT Masquerade.
There are NAT four address types, which can be viewed in the NAT translation table:
Pre-NAT source
The local IP address before NAT translation.Post-NAT source
The local IP address after NAT translation.Pre-NAT destination
The remote IP address before NAT translation.Post-NAT destination
The remote IP address after NAT translation.
show nat translations source detail
Pre-NAT src Pre-NAT dst Post-NAT src Post-NAT dst
192.168.1.10:3712 172.16.1.10:3389 10.0.255.1:3712 172.16.1.10:3389
192.168.1.11:1058 172.16.1.10:3389 10.0.255.1:1058 172.16.1.10:3389
1. Enter configuration mode.
configure
2. Disable the auto-firewall-nat-exclude feature.
set vpn ipsec auto-firewall-nat-exclude disable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs).
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the remote peering address (replace <secret> with your desired passphrase).
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
6. Link the SAs created above to the remote peer and define the local and remote subnets.
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 10.0.255.1/32
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0/24
7. Add firewall rules for the IPsec traffic to the WAN_LOCAL firewall policy.
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp
set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp
set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp
set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 source address 172.16.1.0/24
set firewall name WAN_LOCAL rule 60 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
8. Add a firewall rule for the IPsec traffic to the WAN_IN firewall policy.
set firewall name WAN_IN rule 60 action accept
set firewall name WAN_IN rule 60 description ipsec
set firewall name WAN_IN rule 60 source address 172.16.1.0/24
set firewall name WAN_IN rule 60 destination address 192.168.1.0/24
set firewall name WAN_IN rule 60 log disable
set firewall name WAN_IN rule 60 ipsec match-ipsec
9. Add a Source NAT rule that translates the internal range to the 10.0.255.1 address.
set service nat rule 5000 destination address 172.16.1.0/24
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 outside-address address 10.0.255.1
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type source
10. Commit the changes and save the configuration.
commit ; save
1. Define the IPsec peer and hashing/encryption methods.
VPN > IPsec Site-to-Site > +Add Peer
- Check: Show advanced options
- Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: IPsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 10.0.255.1/32
Related Articles
EdgeRouter - Site-to-Site IPsec VPN with Many-to-Many Source NAT