[NEBULA] IPsec VPN Site to Site behind double nat with USG

walvarez
walvarez Posts: 2  Freshman Member
First Comment
edited April 2021 in Nebula
Hi guys, i have two device, an USG-310 and an USG-60 respectivaly, USG-310 is in site A with public IP in your WAN, USG-60 is in site B behind double NAT, first is a router de ISP giving IPs private and continue other router TP-Link giving IPs private again.

¿This scenario is possible?, ¿what is the procedure of cofiguration?

Here's my topology:
site1: USG-310 with Public IP <--> Internet <--> Router <-PI-> Router <-PI-> site 2: USG-60 with Private IP

PI: Private ip

Thanks for your reply.

Comments

  • Nebula Moderator
    Nebula Moderator Posts: 127  Zyxel Employee
    First Comment Friend Collector Fifth Anniversary
    Dear walvarez, welcome to Nebula Forum!

    We have moved your post from Nebula Security Gateway to General Discussion category due to your post is related to USG models.
    Nebula Forum is used to provide support and knowledge of Nebula Cloud Solution products exclusively. However, we are open and encourage to discuss general networking issues, opening the opportunity for the community members to help as much as they can.

    If you required specialized technical assistance for your non-nebula device, we strongly recommend you to submit a support ticket through the Support Service portal in ZyXEL website or refer to Zyxel local support in your country if available.

    Thank you!
    Nebula Forum Moderator
  • RUnglaube
    RUnglaube Posts: 135  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    Is the first Router managed by you? or is this router forwarding the traffic to the TP-Link?

    I think you just need to create NAT-T for both Router and use the public IPs to establish the VPN site-2-site
    "You will never walk along"
  • JohnM
    JohnM Posts: 21  Freshman Member
    First Comment Friend Collector Second Anniversary
    @walvarez I'm wondering why do you want to connect the USG behind the TP-Link? If possible, the USG can be perfectly placed right after the ISP router/modem and you can either place the TP-link behind the USG or also connected to the ISP device.

    I know it's possible to create VPNs under this scenarios if routers provide the option IPSEC passthrough or bridge mode, but not sure if all devices support those functions.
  • walvarez
    walvarez Posts: 2  Freshman Member
    First Comment
    RUnglaube wrote: »
    Is the first Router managed by you? or is this router forwarding the traffic to the TP-Link?

    I think you just need to create NAT-T for both Router and use the public IPs to establish the VPN site-2-site

    Runglaube, no ! no is router managed for me, this is of ISP.
  • RUnglaube
    RUnglaube Posts: 135  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    walvarez wrote: »
    Runglaube, no ! no is router managed for me, this is of ISP.

    Then you can try by just configuring the port mapping on the TP-LINK as @Iwannaquitthegym suggested , hopefully the ISP router is forwarding all the inbound traffic to the private network or they might have it in bridge mode as @JohnM mentioned.
    "You will never walk along"

Nebula Tips & Tricks