Troubles with DNAT

simonebllc · August 2023

I setup 2 Phase 2 VPN NATTED with the same GW (Phase1) in IKEv2. The Topology is this:

LOCAL LAN1 192.168.7.0/24 → NATTED ON 10.64.33.0/24 - REMOTE SUBNET 172.28.0.0/16

LOCAL LAN2 172.16.69.0/24 → NATTED ON 10.64.34.0/24 - REMOTE SUBNET 172.28.0.0/16

The 2 phases 2 go Online but only 1 DNAT works, the second one nope… Where i mistake?

If I disable the working one the other starts to work. The one that works is random, sometimes LAN1, sometimes LAN2

Sorry for my bad English…

PeterUK · August 2023

One of the destinations needs to change so that

LAN1 192.168.7.0/24 SNAT ON 10.64.33.0/24 - destination 172.28.0.0/16

LAN2 172.16.69.0/24 SNAT ON 10.64.34.0/24 - destination 172.29.0.0/16

You then need to change local/remote policy to match

Zyxel_Emily · August 2023

Hi @simonebllc,

The original IP and mapped IP in DNAT setting cannot be subnet. You should set IP one by one.

simonebllc · August 2023

https://community.zyxel.com/en/discussion/comment/56003#Comment_56003

Hi Emily, this is false because if I activate only one Phase2 everything goes well.

simonebllc · August 2023

https://community.zyxel.com/en/discussion/comment/55987#Comment_55987

Hi Peter, I tryed using in the remote Subnet 172.28.0.100/32 and 172.28.0.101/32 but with no success. The problem is always the same. Only 1 works randomly. Sometimes 172.28.0.100 and if I disable that phase2 starts to work the other.

Troubles with DNAT

All Replies

Categories

Security Highlight

Security Help Center