Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
Options
Suggested

Site_to_site VPN Connection - same subnet at both ends - IpSEC Nat Settings

Gianluca Maistri

Hello,

I' trying to configure "Nat Settings" (see image for example) inside the configuration of a Site_to_site ipsec vpn.

I have two separated subet in my network 192.168.1.x/24 and 192.168.21.x/24 and I would like that both subnet, inside the vpn, are NATed to 192.168.129.x/24 (Local_NATed_LAN).

It works only using subnet with same cidr range (for example 192.168.1.0 /24 NATed with 192.168.129.0/24). If I try using 192.168.0.0/16 as SF1_LAN (to include both subnets) nothing works.

Is it the right behaviour?

Thanks



Added TAGs
[edited by: Erick Jan at 2:39 AM (GMT -8) on 3 Feb 2025]
  • 0

    Hi @Gianluca Maistri, when the IPsec gateways' local subnets are different, why do you want to NAT them to to a single subnet?

    NAT option given in the IPsec config page is meant for this use case: when both IPsec gateways has same LAN subnet, it is not possible to bringup IPsec s2s tunnel; using NAT option, the local subnet on one IPsec gateway (say gateway1) is translated to a new subnet (say subnet1) and on another IPsec gateway's (say gateway2) local subnet is translated into a new subnet (say subnet2) and now local and remote subnets are different and it helps bringing up IPsec s2s tunnel.

    • 0 in reply to Sreenivasulu Naidu

      Thanks   for you answer.

      Unfortunately on the other side of the vpn I have the same subnets 192.168.1.0/24 and 192.168.21.0/24 so I have to NATed them. I think that I must use 2 differents translated subnets (one for 192.168.1.0 and one for 192.168.21.0). For now the supplier who manage the firewall on the other side has only provided me with one so I wanted to NATed my two differents subnet with the same subnet provided (192.168.129.0/35). I hope I have clarified the matter.

      • 0 in reply to Gianluca Maistri

        Ok, got it; 

        Please confirm this: are you trying to use summarised network (192.168.1.x/24 and 192.168.21.x/24 summarised to 192.168.0.0/16) as 'Original subnet' (SF1_LAN) ?  the networks used in Local_NATed_LAN (192.168.129.x/24) and Remote_NATed_LAN (?).

        IPsec NAT variations wise 1:1 NAT (ip to ip) or Many:1 NAT (subnet to ip) and Many:Many NAT (subnet to subnet) are possible, but as far as I recall, Many:Many NAT case with differing subnets is not doable and the subnets need to be same. Need to check.

        • 0 in reply to Sreenivasulu Naidu

          I confirm that SF1_LAN is 192.168.0.0, with this subnet I tried to summarize/caught  subnet 192.168.1.x/24 and 192.168.21.x/24 translating them in  Local_NATed_Lan 192.168.129.0/24.

          Remote_NATed_Lan is 192.168.29.x /24.

          Thanks.

          • +1 in reply to Gianluca Maistri

            While configuring the NAT (in IPsec config), when mouse pointed on Network Address Translation (NAT), a pop-up is seen saying that subnet should be same for original and translated networks.

            Differing original and translated subnets will result in data traffic dropped by firewall.

            Ensure to have either same subnets for original and translated or keep individual subnets (not the summarized ones) and have two different NAT translations one for each subnet.

            • 0 in reply to Sreenivasulu Naidu

              Thanks  for your answer. I'll ask IT on the other side to give me another "Nat translations".

          Unfiltered HTML
          x An error occurred. Please try again or contact your administrator.