NAT Over IPSec VPN in uOS 1.31

Options
Zyxel_Claudia
Zyxel_Claudia Posts: 254 image  Zyxel Employee
Network Detective-New Adventure Badge Network Detective Badge First Comment Friend Collector
edited February 3 in Other Topics

The NAT Over IPSec VPN feature in uOS 1.31 allows network administrators to use Network Address Translation (NAT) inside an IPSec VPN tunnel. This is crucial for:

This feature is now available for policy-based VPNs, while route-based VPNs have already supported NAT in previous versions.

1. Type of Types of NAT Over IPSec VPN

SNAT = Outbound SNAT

  • SNAT can translate a subnet or a single IP to a single mapped IP

1:1 NAT = Outbound SNAT + Inbound DNAT

  • This requires a single IP-to-single IP or subnet-to-subnet mapping with a 1:1 ratio

2. NAT Over IPSec VPN Scenarios

There are two main reasons to use NAT within an IPSec VPN tunnel:

Scenario 1: Concealing Internal Network Subnets

  • Used when you do not want the remote site to see your real internal subnet
  • Example:
    • Actual internal IP: 192.168.10.0/24
    • NAT-mapped IP for VPN peer: 192.168.118.0/24

Scenario 2: Avoiding Overlapping Subnets

  • Used when both networks have the same subnet range
  • Example:
    • Site A Local Network:192.168.169.0/24
    • Site B Local Network:192.168.169.0/24 (Overlapping)

Using NAT, Site A can map its subnet to 192.168.30.0/24 before sending over VPN.

3. How to Setup NAT Over IPSec VPN

Example: VPN from Branch A to Branch B with Hidden Subnets

  • Branch A:192.168.10.0/24 → NAT to 192.168.118.0/24

Configuration Steps:

  • Create Policy-Based VPN Rules for each branch
  • Specify the NAT subnet in the Local Subnet field
  • In Advanced Settings, enable SNAT
  • Define the "Original" and "Mapped" subnets on Branch A
    Original IP: 192.168.10.0/24 and Mapped IP: 192.168.118.10/32 with SNAT.

4. How to Setup Overlapping Subnets Using NAT Over IPSec VPN

Example: Site A & Site B Both Use 192.168.169.0/24 VPN Networks are overlapping

  • Site A:192.168.169.0/24 → NAT to 192.168.20.0/24
  • Site B:192.168.169.0/24 → NAT to 192.168.30.0/24

Configuration Steps:

  • Create Policy-Based VPN Rules for each branch
  • Specify the NAT subnet in the Local Subnet field
  • In Advanced Settings, enable 1: 1 NAT
  • Define the "Original" and "Mapped" subnets on both sites
    Site A Original IP: 192.168.169.0/24 and Mapped IP: 192.168.20.0/24 with 1:1 NAT
    Site B Original IP: 192.168.169.0/24 and Mapped IP: 192.168.30.0/24 with 1:1 NAT

Now, Site A and Site B communicate using their NAT IPs without conflicts.

Tagged:

Categories

EnglishTiếng ViệtРусскийไทย中文(台灣)