Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 2431 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

POLICY BASED IPSEC VPN with Source NAT (MASQ)

Callum Roseneder1

I'm migrating from a UTM to an XG so i'm trying to replicate a config that already existed.
I have the IPSEC VPN setup and the tunnel comes up.
The VPN selector on my side only has a /30
I need to have the rest of the organisation talk through this VPN as well, I simply want to source NAT everything from 10.0.0.0/23 through one of the IP's in that /30.

I have tried using the NAT option in the IPSEC configuration, but this doesn't seem to work and I can see a pop up that tells me the subnet mask needs to be the same both sides (suggest it would attempt a 1:1 mapping).

I also tried using a regular NAT rule but that didn't seem to work either.

XG is on 20.0

Any help would be appreciated, Is this doable?



This thread was automatically locked due to age.
Parents
  • 0



    FYI, if anyone comes looking, this is how I solved this.

    I couldn't get the NAT in the policy based VPN configuration to work.
    - I needed to map multiple networks /23 and /16 to a single selector that was only a /30
    - I need MASQ. as far as I can tell this NAT under the VPN setup would only work with a static NAT 1:1.
    -- I cant change the other end and they won't change it either to give me more addresses in my selector, Government department, what can I say.
    - I tried creating NAT rules through the policy menu, this seems to have no impact on the traffic going through the VPN and counters wouldn't tick up and captures showed no NAT was applied.

    I solved this with a route based VPN,
    - set your XFRM interface as a valid host address from within the local selector
    - set your remote selector as expected/required to satisfy the phase2 VPN negotiation
    - set routes to route your required traffic over the VPN
    - set your NAT rules in policy, not in the VPN, in my situation I just SRC natted anything destined to the remote networks via my IP on my XFRM interface

    Can confirm this is up and works.
    And this is actually not that complicated to understand now that I done it.

  • 0 in reply to Callum Roseneder1

    Did you try in the Policy Based Solution the IPsec_Route?

    __________________________________________________________________________________________________________________

Reply Children
No Data
Unfiltered HTML