Source NAT through vpn tunnels

2»

All Replies

  • valerio_vanni
    valerio_vanni Posts: 118  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Yes, I made a summary of working setup.

    After creation of tunnel A2B2, I could remove policy route on A firewall, LAN C was already included in vpn policy.

    But I still wonder if there are simpler ways.

    I don't understand why AB tunnel refuses traffic not belonging to its local-remote policies. This restriction would be triggered by the parameter "policy enforcement", but that parameter is set to "no".

  • zyman2008
    zyman2008 Posts: 223  Master Member
    25 Answers First Comment Friend Collector Seventh Anniversary

    Hi @valerio_vanni ,

    I just test on my sites to simulate the case.

    I found the different setting of policy route on site B, for the return traffic from C via B to A, will impact the route result.

    (1) Incoming - interface vti(B-C), src.: SUBNET-C, dst.: SUBNET-A, next-hop: Tunnel A-B.

    It not works. (route traces show outgoing interface is wan)

    (2) Incoming - any, src.: SUBNET-C, dst.: SUBNET-A, next-hop: Tunnel A-B.

    It works. (route traces show outgoing interface is doll)

    No sure why the different of the incoming interface of the policy route impact the route.

  • valerio_vanni
    valerio_vanni Posts: 118  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Where you set "incoming - any", you could set tunnel BC (phase2 bound to VTI), in my setup that is the source that leads to doll instead of WAN1.

    There's something not simmetric: in my working setup, traffic goes out to VTI object, and comes back from tunnel object (trace reports "vpn id").

    Notice that in my setup there's no explicit rule in that direction, it's only return traffic of policy "source: tunnel AB - A LAN - dest tunnel BC - C LAN - SNAT to fakeb.

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    So have you changed B to C from Policy-Based to Route-Based VTI?

  • valerio_vanni
    valerio_vanni Posts: 118  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    edited December 23

    Yes, that was the first step.

    If, in route policy, you select a tunnel as destination, you cannot have SNAT-TO.

    It was a change only on B side (C is not managed). But when you change vpn from S2S to tunnel, local and remote policy disappear from interface and are set to ANY/ANY.

    zyman2008 suggestion was to change with CLI local and remote policy to original values, so BC tunnel came back as before.

    And then I had VTI interface to set as next hop with SNAT to FakeB.

    At that point traffic, routed by rule on B firewall, could go to C, with correct SNAT.

    But came only back to B and not to A.

    With an explicit rule, it went to: WAN1 with source VTI, to doll with source BC tunnel (zyman2008 recent test confirms this).

    Without an explicit rule (so as return traffic from rule on B), they went to doll.

    But "doll" [1] to my eyes meant "well" [2], traffic didn't go anywhere. It was not sent into any tunnel.

    AB tunnel refused traffic with C source, because it was outside its local-remote policy. Just as if I had set "policy enforcement", that I had not set.

    And I add that this had been only a guess, no event in logs suggested this.

    Second step was to create another tunnel, A2B2, with local policy LAN A an remote policy LAN C.

    [1] I'm curious what "doll" means in Zyxel terminology. The toy? Or is it an acronym?

    [2] https://en.wiktionary.org/wiki/well (etimology 2)

Security Highlight