Implement NAT over IPSec VPN by Policy Based VPN

Zyxel_Kevin Posts: 765  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited February 5 in VPN

Topology & Scenario:

Your headquarter office may have many IPsec VPN tunnels with Branch, However, all branch offices have the same subnet for example

To meet the application, need a fake subnet represent for each Branch which means the headquarter only know the fake subnet.

For example: → BranchA → Branch B


There may be many application scenarios with different settings.

The following article sets the settings according to the following goals.

1)The can access HQ service

2) can access

The settings of HQ:

The simple IPSec settings, remote policy is the fake subnet rather than real.

The settings of Branch:

The simple IPSec settings, local policy is the fake subnet.

Outbound SNAT:

To make traffic from can source translate to since HQ site only know the fake subnet.

Destination NAT:

To make traffic to can destination tranlate to

The routing make src: dst: force goto VPN tunnel.

otherwise, traffic to won't reach to tunnel due to the phase2 policy.


1)The can access HQ service

2) can access