VPN IPSEC with a nat-enabled router

Cava Posts: 7
edited April 14 in Security
Hi. I've a litte question about a VPN problem.
The situation is this:
Internet =70.4.... (with 1 public static IP)  => Fiber routrer  == 192.168.1.x ==> USG110 ==192.168.10.x= => LAN
The customer has another person that needs to connect to the lan. I tried with SSL VPN and it worked fine (I natted all ports from router to firewall), but my boss sold them the IPSEC license. I tried the autoconfiguration but, when I download the cofiguration from the client, it sets the destination IP the wan IP of the firewall ( and not the external one. So the client won't work. If I manually the remote gateway on the client with the public IP, everything stops after "sending phase 1 ID".
Unfortunatly I cannot put the pubblic IP on firewall's wan
I read some docs, but I cannot find my actual situation to search any hint for the config

All Replies

  • Alfonso
    Alfonso Posts: 257  Master Member
    Hi @Cava

    In your scenario, the VPN must be established via the public ip address, so the following configuration  must be done on the fiber router:

    - Static NAT:
       Source: Public IP address on the fiber router
       Destination: 192.168.1X (WAN USG110)
       Port: 500 UDP, 4500 UDP
       And the IP protocols: ESP (Ip protocol 50) and AH (ip protocol 51).

    Best regards

  • Cava
    Cava Posts: 7
    Thanks. There was a rule for a video conference sw that was natting the 4500 on another network.

Security Highlight