IPSEC TUNNEL and BINAT

Started by fixit, November 30, 2018, 10:29:09 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 30, 2018, 10:29:09 AM Last Edit: December 03, 2018, 09:02:35 PM by fixit
Hello,
I have a remote network 192.168.0.1 that I want to access through an IPSEC tunnel. To avoid interfering with my local network, I need to make NAT of this remote network. I think it's 1to1.
Here is a diagram to explain:
LOCAL                       IPSEC                  REMOTE
ME 192.168.2.0 <------------------> 10.75.10.0/24:192.168.0.0/24 ----

I configured the tunnel
CONF VPN REMOTE:
subnet local 10.75.10.0 remote subnet 192.168.2.0
CONF LOCAL VPN:
subnet local: 192.168.2.0 remote subnet: 10.75.10.0


I created 1: 1 NAT rules to associate the subnet 10.75.10.0 to 192.168.0.0 on the WAN interface.
I created very permissive firewall rules that allow everything on the IPSEC interface over the WAN and the LAN.

But nothing to do nothing happens.
Do you have an idea ?

Best regards,
Ben
November 30, 2018, 12:24:59 PM #1
December 03, 2018, 08:31:04 AM #2
Hi,
I've the same problem:

Local LAN: 192.168.100.0/24
Local Subnet Phase 2: 188.93.252.132/30
Remote Subnet Phase 2: 188.93.251.0/24

Tunnel is up and working

BINAT 1:1 Rule on IPSEC Interface
External: 188.93.252.134/32
Source: 192.168.100.11/32
Destination: 188.93.251.37/32

No manual SPD Entries.

Do I have a Config mistake?
regards
Michael
December 03, 2018, 08:46:04 AM #3
Hi Ben,

Quote from: fixit on November 30, 2018, 10:29:09 AM
To avoid interfering with my local network, I need to make NAT of this remote network. I think it's 1to1.

If you mean by interference that there are subnets on either side that overlap, then a 1:1 NAT won't help you. You would need to apply a separate NAT for any host on the far end.

Are there any conflicts?

Bart...
December 03, 2018, 10:01:55 AM #4
Quote from: mikehps on December 03, 2018, 08:31:04 AM


No manual SPD Entries.


Did you read the link from the official docs above?
December 03, 2018, 10:10:49 AM #5
jup,
I tried:

* 192.168.100.11/32 as SPD -> not working

Maybe its a problem with routing table? If I try to reach  188.93.251.37/32 the FW logs show Interface WAN (I think it should go through interface IPSEC?)

is it because the phase 2 IPs are official IPs and not private ones?
December 03, 2018, 10:28:58 AM #6
It would be better you start an own thread with all details and not hijack this one :)
December 03, 2018, 09:01:19 PM #7 Last Edit: December 03, 2018, 10:06:01 PM by fixit
Hello,
Thanks for your answers.
@mimugmail : Yes it is my configuration type.
I try with this configuration, but It does not works:

VPN is UP
On remote site, i have take SDP to my local network, ie: 192.168.0.0/24,
Phase2 Remote 192.168.2.0    local 10.75.10.1
I take 1:1 rule:     IPsec    10.75.10.1/24    192.168.0.1/24    *
I have allowed all traffic in LAN, IPSEC interfaces.

When I ping a machine (10.75.15.18)  from local site my remote site I see ping arrived in remote machine (but I don't have response):
Ping:  src:   192.168.2.94     dst:  192.168.0.18

And If I ping in my remote machine the local machine (ping 192.168.2.94), it's failed too.
I think I have a problem with routes for the back route.
What is wrong ? Maybe I do add a static route ?

@bartjsmit:   Nothing happens if I create NAT rules, I even get an error on which tells me that ip does not exist? Do I have to create a "LAN" network interface in order to assign NAT rules to it? A virtual ip? In this case I dont use SDP ?

Thanks for you help,

Regards,
Ben
Print
Go Up Pages1
User actions