[NEBULA] IPsec VPN Site to Site behind double nat with USG

walvarez

Hi guys, i have two device, an USG-310 and an USG-60 respectivaly, USG-310 is in site A with public IP in your WAN, USG-60 is in site B behind double NAT, first is a router de ISP giving IPs private and continue other router TP-Link giving IPs private again.

¿This scenario is possible?, ¿what is the procedure of cofiguration?

Here's my topology:
site1: USG-310 with Public IP <--> Internet <--> Router <-PI-> Router <-PI-> site 2: USG-60 with Private IP

PI: Private ip

Thanks for your reply.

Nebula Moderator

Dear walvarez, welcome to Nebula Forum!

We have moved your post from Nebula Security Gateway to General Discussion category due to your post is related to USG models.
Nebula Forum is used to provide support and knowledge of Nebula Cloud Solution products exclusively. However, we are open and encourage to discuss general networking issues, opening the opportunity for the community members to help as much as they can.

If you required specialized technical assistance for your non-nebula device, we strongly recommend you to submit a support ticket through the Support Service portal in ZyXEL website or refer to Zyxel local support in your country if available.

Thank you!

RUnglaube

Is the first Router managed by you? or is this router forwarding the traffic to the TP-Link?

I think you just need to create NAT-T for both Router and use the public IPs to establish the VPN site-2-site

JohnM

@walvarez I'm wondering why do you want to connect the USG behind the TP-Link? If possible, the USG can be perfectly placed right after the ISP router/modem and you can either place the TP-link behind the USG or also connected to the ISP device.

I know it's possible to create VPNs under this scenarios if routers provide the option IPSEC passthrough or bridge mode, but not sure if all devices support those functions.

Iwannaquitthegym

Hi @walvarez for USG-310 and 60, you need to configure the IPsec VPN as usual, even using the quick setup wizard you will find in the local GUI. Once you are done with the wizard, you need to go to Configuration > VPN > IPSec VPN > VPN Gateway > Show Advanced Settings and select "any" in Authentication > Peer ID Type for both USGs.

For the routers that you have in front of the USG-60, you need to create a port mapping of UDP ports 4500 and 500 (IKE & NATT respectively). Thus, ISP router needs to map from the public IP to the WAN of your TP-Link, and the TP-Link needs to map from its WAN IP address to the WAN of the USG60, and voila!

source: http://support.zyxel.eu/Support/30062/30085/en-GB/Article/View/56698/How-to-configure-IPSec-Site-to-Site-VPN-while-one-Site-is-behind-a-NAT-router-kb-id-015405-en-GB/0

PD: the source explains the scenario with only one router but you just need to repeat the procedure for a second one.

walvarez

RUnglaube wrote: »

Is the first Router managed by you? or is this router forwarding the traffic to the TP-Link?

I think you just need to create NAT-T for both Router and use the public IPs to establish the VPN site-2-site

Runglaube, no ! no is router managed for me, this is of ISP.

RUnglaube

walvarez wrote: »

Runglaube, no ! no is router managed for me, this is of ISP.

Then you can try by just configuring the port mapping on the TP-LINK as @Iwannaquitthegym suggested , hopefully the ISP router is forwarding all the inbound traffic to the private network or they might have it in bridge mode as @JohnM mentioned.