Implement NAT over IPSec VPN by Policy Based VPN

Zyxel_Kevin
Zyxel_Kevin Posts: 892  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
edited February 5 in VPN

Topology & Scenario:

Your headquarter office may have many IPsec VPN tunnels with Branch, However, all branch offices have the same subnet for example 192.168.11.0/24.

To meet the application, need a fake subnet represent for each Branch which means the headquarter only know the fake subnet.

For example:

192.168.100.0/24 → BranchA

192.168.101.0/24 → Branch B

Purpose

There may be many application scenarios with different settings.

The following article sets the settings according to the following goals.

1)The 192.168.11.0/24 can access HQ service 192.168.1.33

2)192.168.1.33 can access 192.168.100.0/24

The settings of HQ:

The simple IPSec settings, remote policy is the fake subnet rather than real.

The settings of Branch:

The simple IPSec settings, local policy is the fake subnet.

Outbound SNAT:

To make traffic from 192.168.11.0/24 can source translate to 192.168.100.0 since HQ site only know the fake subnet.

Destination NAT:

To make traffic to 192.168.100.0/24 can destination tranlate to 192.168.11.0/24

The routing make src:192.168.11.0/24 dst:192.168.1.0/24 force goto VPN tunnel.

otherwise, traffic to 192.168.1.0 won't reach to tunnel due to the phase2 policy.

Verification

1)The 192.168.11.0/24 can access HQ service 192.168.1.33

2)192.168.1.33 can access 192.168.100.0/24

Tagged: