How to NAT specific hosts to reach remote network through IPsec S2S?

Hello everyone,

I'm facing an issue when passing traffic through an IPsec tunnel.

The tunnel is up and running and the remote network can reach a 'loopback' interface I've created on the XG firewall but not the target hosts.

On the local subnet we can't reach the remote subnet at all.

Firewall rules are created (VPN > LAN, LAN > VPN)

 

 

In the IPsec tunnel configuration, we have the 172.17.12.200/29 on the left SA and for the right SA, 172.4.4.0/24.

What I want to accomplish is to NAT the hosts on the subnet 192.168.10.0/24 (192.168.10.2-3) so they can be reachable and also be able to reach hosts on the remote subnet.

 

Any advice would be very helpful.

  • Hi  

    You would be required to add IP host/Network in the Local and Remote Subnet of IPsec and also add the static in XG that 192.168.10.0 network is reachable through this Interface, please enable MASQ in VPN to LAN rule.


  • In reply to Keyur:

    Hello Keyur,

    Do you mean I have to change from 172.17.12.200/29 to 192.168.10.0/24 on the Local Subnet?
    If that's so, we can't change the configuration of the tunnel.

    The remote site ask us to masq our subnet.

    I'm wondering if XG can handles this kind of job, I run out of ideas to try to make it work.