Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec Tunnel building with Local Subnet NAT with one Public IP

Moinuddin Shaik

Hi,

 

There is a requirement for building an IPsec tunnel between a client and us.

But the client requires only Public IP for building the IPsec tunnel instead of Private IP and they are not providing Private subnet from their end.

 

They even require our private subnet to be nat with a single public IP.

 

I tried to build IPsec based on the link below.

"https://community.sophos.com/products/xg-firewall/f/vpn/110393/site-to-site-vpn-with-a-nated-tunnel", by natting our private subnet with the public IP.

 

But not understanding why phase 2 is going down whenever, I try to allow natted IP.

 

Thanks.



This thread was automatically locked due to age.
  • 0

    Hi  

    Please refer the article to NAT IPsec traffic- https://community.sophos.com/kb/en-us/123356

    • The sample scenario in this article shows a 1:1 NAT. Depending on the network requirements, it is also possible to configure a 1:n NAT (SNAT) or a Full NAT.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

    • 0 in reply to Keyur

      Hi Keyur,

       

      Thanks for the link, I have already gone through it but private subnet has been mentioned under "local & remote" subnet.

      But the client hasn't provided any private subnet instead provided a public IP.

      Is there a way to nat the local subnet with public IP first and then pass that public IP through IPsec.

       

      Thanks.

      • 0 in reply to Moinuddin Shaik

        Local Network

        Remote Network

        NAT Network

         

        Could you please post your inputs here? Maybe there is a mistake. 

        __________________________________________________________________________________________________________________

        • 0 in reply to LuCar Toni

          Hi LuCar,

           

          Please find the below details.

           

          Local Network     :   172.20.29.0/24

          NAT Network       :   14.141.10.163

          Remote Network  :  138.5.50.16/28, 138.5.102.123/32 (the mentioned IP are already Nated from client side).

           

          Thanks.

          • 0 in reply to Moinuddin Shaik

            You need to switch NAT Network and Local Network.

            NAT Network is your network behind XG.

            Local Network is your "SA" Network. So basically which network the other side sees. 

            __________________________________________________________________________________________________________________

            • 0 in reply to LuCar Toni

              Hi Lucar,

               

              Sorry for the late reply.

              As you said need to switch the NAT network, I couldn't get that.

              I would like to send a screenshot in which you can find the details of our and client network on which IPsec should build up.

              As you can see Encryption domain is a private subnet and as per the client that subnet needs to be nated with public IP.

              And that public IP should work as remote subnet from client end.

               

              The Downstate IP wat you see in the screenshot is  already natted with their private subnet.

               

              Request you to help on natting that subnet and passing the public IP through IPsec tunnel.

               Thanks.

              • 0 in reply to Moinuddin Shaik

                For me, your screenshot does not make any sense. 

                Your 172.20.29.0/24 - Does this network exists? 

                Thats your SA, isnt it? 

                So you would build up the SA with 172.20.29.0/24 as local network and remote network 138.5.50.16/28 & 138.5.102.132/32. Basically two SAs.

                In this scenario, you can actually only NAT one /24 as 1:1 NAT into your 172.20.29.0/24. 

                 

                Or should you use your Public IP in the IPsec Tunnel? That will cause a lot of trouble. 

                Basically you would start to have the same IP as Gateway WAN IP and in your IPsec Tunnel. Thats most likely not desirable. Or is thje 14.140.10.164 not used somewhere else? 

                __________________________________________________________________________________________________________________

                • 0 in reply to LuCar Toni

                  Hi LuCar,

                   

                  Thanks for helping as you said need to switch NAT network and Local network.

                   

                  Thanks.