Ipsec VPN 1 To 1 Nat

I have the joy of having a requirement from one my vendors to create an Ipsec VPN tunnel with 1 to 1 NAT. I have a little over 100 hosts that have to be NATed inside this tunnel. The configuration on the XG to do this is currently a hot mess. 

Step 1 - Ensure all host objects are created. This is expected so no real complaints here. Add the any of the 105 local IP address that are missing, add the 105 NAT addresses I need.

Step 2 - Configure VPN tunnel with said objects. This is where it gets really fun. Add 105 /32 hosts into the local subnets. Caution - this is the address you want to NAT TO from your actual local addresses. This is very un-intuitive as your brain wants to assume in looking at the GUI that since you read left to right that you would read the NAT in that manner. Nope, again this is NAT address you are sending over the tunnel. I unfortunately found this out the hard way after getting all configured.. Backwards. 


Step 3 - Now that you have added all of your objects into the local subnets the fun begins. The GUI is now running about as fast as Netscape Navigator circa 1999 via AOL dial up. Check the box for NAT and get what is posted above. A drop down box to choose what you want to NAT to. Great - unless you have 1500+ objects in your XG. It gets better - They are in order they were added to the XG. Not alphabetical or numerical, the order they were added. You think, no problem I'm sure it lets you search for the object I need.. To the great amusement of the developers you can not in fact do this. You have to manually scroll through all of your objects and find your object, again in order they were added to the firewall. So 1500+ objects in no particular order that can not search through. All the while every click takes 10-15 seconds thanks to the now overwhelmed GUI. Get about 20 of the NATs configured and forget to hit save? You are welcome with a nice timeout that wipes out 20-30 minutes of work. So you can only do about 5 at a time. Again though, every time you go into the VPN config its a good 5 minutes to even get control of the web page back. Good times so far. 


So, has anyone else experience the joy of 1 to 1 NAT in Ipsec VPN tunnels?  This has been hours of work and much well deserved profanity at this configuration design with about 50% completion to show for it. 


There has to be a better way.. Open to suggestions! Perhaps the API can speed this up somehow? I guess this is a good time to finally break down and learn the XG API.

  • Short question, why do you not 1:1 NAT a /24? 

    Would be a two click scenario in XG. 

    Or do you have to create 105 SAs with your vendor? (/32).

  • In reply to LuCar Toni:

    Vendor requirement to 1 to 1 NAT specific IP to specific IP.

  • In reply to tragikcomic:

    But actually, if you use a /24 for example, it would map each IP.

    So SA and your network

    It would map to etc. 

  • In reply to LuCar Toni:

    Although a great suggestion, not practical in my application. Trust me, I tried to avoid this. I have local clients across multiple subnets that have to NAT in this way. The vendor required me to send them all my local client IP's that will be using this application. Then I received back a document with their expected NAT IP's that have to match exactly. Just as an example say if I had local IP it HAS to NAT to, must be Those are obviously made up but you get the gist of it. 


    I do appreciate the suggestions though! 

  • In reply to tragikcomic:

    I just wanted to follow up on this thread for anyone searching later on. 


    DO NOT do the 1 to 1 NAT inside the VPN tunnel config if you have this many hosts to NAT. This was a complete nightmare while I had it setup this way. The tunnel would come up just fine, but would just randomly start dropping SA's inside the tunnel. When you have 115 or so SA's and all that NATing going on the Sophos just could not handle it. It would affect my other VPN tunnels as well, making them start to drop SA's randomly. I think with that many NATs and that many SA's it was just too much for Strongswan perhaps? Im assuming its probably single threaded so it was not happy with all of the constant updates etc going. I spent hours on the phone with support who did their best to help troubleshoot but ultimately we found no solution. I ended up having to get a separate XG 210 just to move this VPN to. The reason for this was the solution I had to use. I did the NAT with firewall rules instead. I did not want to add that many rules just to NAT to my production XG 450 pair. It was a lot of rules...


    So I configured the new XG 210 with the NAT done in the firewall rules and was able to present only the /24 network to the other side instead and no NAT being done inside VPN config. This does require manual addition of the routes via the XG CLI to the VPN tunnel. Once I had the new firewall configured and made the cut over my issues were all gone. My VPN tunnel for this has been completely stable so far. My existing tunnels that started to drop SA's while this tunnel was on my prod firewall all starting working stable just as they had been for months prior. It fixed all of my issues. 

    I found this solution via this forum post: https://community.sophos.com/products/xg-firewall/f/vpn/84062/multiple-nat-on-single-ipsec-tunnel

    It was a lot of work, but the end result to have a stable tunnel was worth it.