NAT Over IPSec VPN in uOS 1.31

Zyxel_Claudia
Zyxel_Claudia Posts: 126  Zyxel Employee
Network Detective-New Adventure Badge Network Detective Badge First Comment Friend Collector
edited February 14 in Other Topics

The NAT Over IPSec VPN feature in uOS 1.31 allows network administrators to use Network Address Translation (NAT) inside an IPSec VPN tunnel. This is crucial for:

This feature is now available for policy-based VPNs, while route-based VPNs have already supported NAT in previous versions.

1. Type of Types of NAT Over IPSec VPN

SNAT = Outbound SNAT

  • SNAT can translate a subnet or a single IP to a single mapped IP

1:1 NAT = Outbound SNAT + Inbound DNAT

  • This requires a single IP-to-single IP or subnet-to-subnet mapping with a 1:1 ratio

2. NAT Over IPSec VPN Scenarios

There are two main reasons to use NAT within an IPSec VPN tunnel:

Scenario 1: Concealing Internal Network Subnets

  • Used when you do not want the remote site to see your real internal subnet
  • Example:
    • Actual internal IP: 192.168.10.0/24
    • NAT-mapped IP for VPN peer: 192.168.118.0/24

Scenario 2: Avoiding Overlapping Subnets

  • Used when both networks have the same subnet range
  • Example:
    • Site A Local Network:192.168.169.0/24
    • Site B Local Network:192.168.169.0/24 (Overlapping)

Using NAT, Site A can map its subnet to 192.168.30.0/24 before sending over VPN.

3. How to Setup NAT Over IPSec VPN

Example: VPN from Branch A to Branch B with Hidden Subnets

  • Branch A:192.168.10.0/24 → NAT to 192.168.118.0/24

Configuration Steps:

  • Create Policy-Based VPN Rules for each branch
  • Specify the NAT subnet in the Local Subnet field
  • In Advanced Settings, enable SNAT
  • Define the "Original" and "Mapped" subnets on Branch A
    Original IP: 192.168.10.0/24 and Mapped IP: 192.168.118.10/32 with SNAT.

4. How to Setup Overlapping Subnets Using NAT Over IPSec VPN

Example: Site A & Site B Both Use 192.168.169.0/24 VPN Networks are overlapping

  • Site A:192.168.169.0/24 → NAT to 192.168.20.0/24
  • Site B:192.168.169.0/24 → NAT to 192.168.30.0/24

Configuration Steps:

  • Create Policy-Based VPN Rules for each branch
  • Specify the NAT subnet in the Local Subnet field
  • In Advanced Settings, enable 1: 1 NAT
  • Define the "Original" and "Mapped" subnets on both sites
    Site A Original IP: 192.168.169.0/24 and Mapped IP: 192.168.20.0/24 with 1:1 NAT
    Site B Original IP: 192.168.169.0/24 and Mapped IP: 192.168.30.0/24 with 1:1 NAT

Now, Site A and Site B communicate using their NAT IPs without conflicts.

Tagged:

Categories

EnglishTiếng ViệtРусскийไทย中文(台灣)