EdgeRouter - Site-to-Site IPsec VPN with Many-to-One Source NAT


Overview


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN while also translating the internal subnet range using Many-to-One Source NAT (Network Address Translation).

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Configuring a Policy-Based VPN with Many-to-One Source NAT 
  4. Related Articles

FAQ


Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512
3. What is the difference between Many-to-One NAT, PAT (Port Address Translation), Masquerade and NAT Overload?

All of these are just different names for the same NAT feature, which translates multiple internal addresses to a single outside address.

4. What Site-to-Site VPN types are compatible with Many-to-One NAT?

Policy-Based, Route-Based and GRE over IPsec Site-to-Site VPNs are compatible with Many-to-One NAT. 


Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouters:

ER-L

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

ER-R

  • eth0 (WAN) - 192.0.2.1
  • eth1 (LAN) - 172.16.1.1/24

topology.png

The 192.168.1.0/24 subnet will be translated to the 10.0.255.1 address using NAT Masquerade.


Configuring a Policy-Based VPN with Many-to-One Source NAT 


Back to Top

There are NAT four address types, which can be viewed in the NAT translation table:

  • Pre-NAT sourceThe local IP address before NAT translation.
  • Post-NAT sourceThe local IP address after NAT translation.
  • Pre-NAT destinationThe remote IP address before NAT translation.
  • Post-NAT destinationThe remote IP address after NAT translation.
show nat translations source detail  
Pre-NAT src          Pre-NAT dst        Post-NAT src         Post-NAT dst     
192.168.1.10:3712    172.16.1.10:3389   10.0.255.1:3712   172.16.1.10:3389 
192.168.1.11:1058    172.16.1.10:3389   10.0.255.1:1058   172.16.1.10:3389
CLI: Access the command line interface on ER-L. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Disable the auto-firewall-nat-exclude feature.

set vpn ipsec auto-firewall-nat-exclude disable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs).

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

5. Define the remote peering address (replace <secret> with your desired passphrase).

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1

6. Link the SAs created above to the remote peer and define the local and remote subnets.

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 10.0.255.1/32
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0/24
NOTE: The local subnet needs to be set to the address that will be used for the NAT translation. 

7. Add firewall rules for the IPsec traffic to the WAN_LOCAL firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description ike
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description esp
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description nat-t
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description ipsec
set firewall name WAN_LOCAL rule 60 source address 172.16.1.0/24
set firewall name WAN_LOCAL rule 60 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec

8. Add a firewall rule for the IPsec traffic to the WAN_IN firewall policy.

set firewall name WAN_IN rule 60 action accept
set firewall name WAN_IN rule 60 description ipsec
set firewall name WAN_IN rule 60 source address 172.16.1.0/24
set firewall name WAN_IN rule 60 destination address 192.168.1.0/24
set firewall name WAN_IN rule 60 log disable
set firewall name WAN_IN rule 60 ipsec match-ipsec

9. Add the source NAT rule that translates the internal range to the 10.0.255.1 address.

set service nat rule 5000 destination address 172.16.1.0/24
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 outside-address address 10.0.255.1
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type source

10. Commit the changes and save the configuration.

commit ; save

GUI: Access the Graphical User Interface (GUI) on ER-R.

1. Define the IPsec peer and hashing/encryption methods.

VPN > IPsec Site-to-Site > +Add Peer

  • Check: Show advanced options
  • Check: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: IPsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24
Remote subnet: 10.0.255.1/32

Related Articles


Back to Top

EdgeRouter - Site-to-Site IPsec VPN with Many-to-Many Source NAT

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!