EdgeRouter - IPsec Site-to-Site VPN with Many-to-One Source NAT


Overview


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN while also translating the internal subnet range using Many-to-One Source NAT (Network Address Translation). This type of setup is needed when IPsec peers only exchange a single address over the VPN. This address is then used by Source NAT to translate the entire internal subnet to a single address. This type of NAT configuration is often referred to as Many-to-One NAT, PAT (Port Address Translation), Masquerade or NAT Overload.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
 
Equipment used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Steps: Policy-Based VPN with Many-to-One Source NAT
  4. Steps: Testing & Verification
  5. Related Articles

FAQ


Back to Top

1. What is the difference between Many-to-One NAT, PAT (Port Address Translation), Masquerade and NAT Overload?

All of these are just different names for the same NAT feature, which translates multiple internal addresses to a single outside address. 

2. Can I also set up a site-to-site VPN to do a 1:1 translation between two subnet ranges (Many-to-Many NAT)? 
3. What site-to-site VPN types can be configured on EdgeOS when using Many-to-One NAT?

You can configure Policy-Based, Route-Based and GRE over IPsec site-to-site VPNs when using Many-to-One NAT. After setting up the tunnel, you can configure a source NAT rule with the virtual tunnel interface (vti or tun) as the outgoing interface.

4. What is the function of traffic offloading and how does it affect IPsec tunnels?

Offloading is used to execute functions of the router using the hardware directly which greatly increases performance. If traffic is not offloading, it is routed using the CPU with limited performance. Please see the Hardware Offloading article for more information.

 

Packets passed through an IPsec tunnel are eligible for offloading and thus routed via hardware when IPsec offloading is enabled. You can enable IPsec offloading via the Command Line Interface (CLI) with:

configure
set system offload ipsec enable
commit ; save
5. Do I need to create firewall and NAT rules for the IPsec traffic?

Yes, on the router where you are NATting the traffic. If you check the Automatically open firewall and exclude from NAT box in the Graphical User Interface (GUI) than the automatic firewall and NAT policies for IPsec will take priority over your manually defined rules.  

6. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128 
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

 

Please see the EdgeRouter - IPsec Site-to-Site VPN Additions and Changes (CLI) article for more information.

7. Can I configure these tunnels to use IKEv2 instead of IKEv1?

Yes, please see the EdgeRouter - IPsec Site-to-Site VPN Additions and Changes (CLI) article for more information.

8. How do I start troubleshooting if my VPN does not establish?
  • Send relevant traffic (ping) over the tunnel between two hosts located behind the EdgeRouters.
  • Verify the state of the VPN tunnel using the CLI.
  • Capture the IPsec traffic on the WAN interface using the CLI.
  • Analyze the VPN log messages.
  • Verify if any host-based firewalls are blocking the (ping) traffic.

 

All of these verification steps are shown in the Testing & Verification section.


Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouters:

ER-R

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • NAT address - 10.0.255.1

ER-L

  • eth0 (WAN) - 192.0.2.1
  • eth1 (LAN) - 172.16.1.1/24


Steps: Policy-Based VPN with Many-to-One Source NAT


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

The ports and protocol that are relevant to IPsec are:

  • UDP 500 (IKE)
  • Protocol 50 (ESP)
  • UDP 4500 (NAT-T)

The type of VPN that will be created is called a Policy-Based VPN which uses remote and local subnets, otherwise known as proxy IDs. These values need to match exactly between the two peers and need to be mirror images of each other. Only the prefixes defined in the proxy IDs will be carried over the tunnel. In this case, the proxy ID for ER-R will be a single address (10.0.255.1), which will be used to translate the 192.168.1.0/24 range.

 

There are NAT four address types, which can be viewed in the NAT translation table:

  • Pre-NAT source - The local IP address before NAT translation
  • Post-NAT source - The local IP address after NAT translation
  • Pre-NAT destination - The remote IP address before NAT translation
  • Post-NAT destination - The remote IP address after NAT translation
show nat translations source detail  
Pre-NAT src          Pre-NAT dst        Post-NAT src         Post-NAT dst     
192.168.1.10:3712    172.16.1.10:3389   10.0.255.1:3712   172.16.1.10:3389 
192.168.1.11:1058    172.16.1.10:3389   10.0.255.1:1058   172.16.1.10:3389

In the example, only ER-R will be using NAT to translate the internal subnet range. Therefore, the destination address (server at 172.16.1.10) will be the same pre-NAT/post-NAT IP address. The source address will change from 192.168.1.10 and 192.168.1.11 to 10.0.255.1 and a random port. The configuration below will primarily focus on ER-R.

 

GUI: Access the Graphical User Interface (GUI).

1. Define the IPsec peer and Security Associations (SAs) on ER-R (replace <secret> with your desired passphrase).

VPN > IPsec Site-to-Site > +Add Peer

  • Show advanced options
  • Uncheck: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: IPsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 10.0.255.1/32
Remote subnet: 172.16.1.0/24
ATTENTION: It is important to not check the box that automatically excludes the IPsec traffic from NAT. Custom NAT/firewall rules will be created later on that serve this purpose. The automatic exclusions take priority over all custom created firewall rules and need a reboot to be completely removed (if previously enabled).

2. Define the IPsec peer and Security Associations (SAs) on ER-L (replace <secret> with your desired passphrase).

VPN > IPsec Site-to-Site > +Add Peer

  • Show advanced options
  • Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: IPsec
Local IP: 192.0.2.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24 
Remote subnet: 10.0.255.1/32

 

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add firewall rules for the IPsec traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description IKE
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description ESP
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description NAT-T
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description IPsec
set firewall name WAN_LOCAL rule 60 source address 172.16.1.0/24
set firewall name WAN_LOCAL rule 60 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
NOTE: Make sure that these rules do not override any existing firewall policies!

3. Add a firewall rule for the IPsec traffic to the inbound firewall policy.

set firewall name WAN_IN rule 60 action accept
set firewall name WAN_IN rule 60 description IPsec
set firewall name WAN_IN rule 60 source address 172.16.1.0/24
set firewall name WAN_IN rule 60 destination address 192.168.1.0/24
set firewall name WAN_IN rule 60 log disable
set firewall name WAN_IN rule 60 ipsec match-ipsec

4. Add the source NAT rule that translates the internal range to the VPN address.

set service nat rule 5000 destination address 172.16.1.0/24
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 outside-address address 10.0.255.1
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type source
NOTE: Make sure that this rule takes priority over any other NAT rules (such as the NAT masquerade rule). The default NAT masquerade rule has a priority (rule number) of 5010.

5. Commit the changes and save the configuration.

commit ; save

Steps - Testing & Verification


Back to Top

1. Verify the IPsec Security Associations (SAs) and tunnel status.

show vpn ipsec sa
peer-192.0.2.1-tunnel-1: #1, ESTABLISHED, IKEv1, f0d42011e491a7fc:f2d389c0ae8cd615
  local  '203.0.113.1' @ 203.0.113.1
  remote '192.0.2.1' @ 192.0.2.1
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 76s ago, reauth in 28005s
peer-192.0.2.1-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
installed 76 ago, rekeying in 2562s, expires in 3526s
in c1f5b727, 180 bytes, 3 packets, 70s ago
out cb2e250b, 180 bytes, 3 packets, 70s ago
    local  10.0.255.1/32
    remote 172.16.1.0/24
NOTE: If there is no (or only partial) output, the tunnel is not established. These types of tunnels will only establish if relevant traffic is sent over the link (sourced from a host behind the EdgeRouter). 

 

Verify that the in and out traffic counters are increasing at the same time and that the remote and local subnets are listed in the output.

2. Verify the IPsec strongSwan configuration file.

sudo cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl

config setup

conn %default
        keyexchange=ikev1

conn peer-192.0.2.1-tunnel-1
        left=203.0.113.1
        right=192.0.2.1
        leftsubnet=10.0.255.1/32
        rightsubnet=172.16.1.0/24
        ike=aes128-sha1-modp2048!
        keyexchange=ikev1
        ikelifetime=28800s
        esp=aes128-sha1-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-192.0.2.1-tunnel-1

3. Capture the arrival of IKE/ESP traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 500 or port 4500 or esp
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 I ident[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 R ident[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 2/others R oakley-quick[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x1), length 164
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x2), length 164
IP 203.0.113.1 > 192.0.2.1: ESP(spi=0x216ec4ce,seq=0x1), length 148
IP 192.0.2.1 > 203.0.113.1: ESP(spi=0xc25e3a53,seq=0x3), length 68
NOTE: This is a live capture. If there is no output then the traffic is either not being generated or there is something blocking the traffic upstream.

4. Capture and analyze the IPsec VPN log messages.

sudo swanctl --log
[KNL] creating acquire job for policy 10.0.255.1/32[icmp] === 172.16.1.10/32[icmp] with reqid {1}
[IKE] initiating Main Mode IKE_SA peer-192.0.2.1-tunnel-1[1] to 192.0.2.1
[ENC] generating ID_PROT request 0 [ SA V V V V ]
[ENC] parsed ID_PROT response 0 [ SA V V V ]
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA peer-192.0.2.1-tunnel-1[1] established between 203.0.113.1[203.0.113.1]...192.0.2.1[192.0.2.1]
[ENC] generating QUICK_MODE request 3622515205 [ HASH SA No ID ID ]
[ENC] parsed QUICK_MODE response 3622515205 [ HASH SA No ID ID ]
[IKE] CHILD_SA peer-192.0.2.1-tunnel-1{1} established with SPIs and TS 10.0.255.1/32 === 172.16.1.0/24
NOTE: This is also a live capture. Alternatively, you can use the show vpn log | no-more command to view the entire IPsec log history.

5. Verify that the traffic is increasing the counters on the IPsec firewall rules.

show firewall name WAN_IN statistics 
--------------------------------------------------------------------------------
IPv4 Firewall "WAN_IN"  [WAN to internal]
 Active on (eth0,IN)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    91          5440        ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
60    3           180         ACCEPT  IPsec
10000 232         13920       DROP    DEFAULT ACTION

show firewall name WAN_LOCAL statistics
--------------------------------------------------------------------------------
IPv4 Firewall "WAN_LOCAL"  [WAN to router]
 Active on (eth0,LOCAL)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    657         62520       ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    2           372         ACCEPT  IKE
40    10          1240        ACCEPT  ESP
50    0           0           ACCEPT  NAT-T
60    0           0           ACCEPT  IPsec
10000 0           0           DROP    DEFAULT ACTION

6. Verify the NAT statistics and the translation table.

show nat statistics 
rule  count       type  IN        OUT       description
----  ----------  ----  --------  --------  -----------
5000  1           SRC   -         eth0     
5010  7           MASQ  -         eth0      masquerade for WAN

show nat translations source detail 
Pre-NAT src          Pre-NAT dst        Post-NAT src         Post-NAT dst     
192.168.1.10:3712    172.16.1.10:3389   10.0.255.1:3712   172.16.1.10:3389 
  tcp: snat: 192.168.1.10 ==> 10.0.255.1  timeout: 52 use: 1
192.168.1.11:1058    172.16.1.10:3389   10.0.255.1:1058   172.16.1.10:3389
  tcp: snat: 192.168.1.11 ==> 10.0.255.1  timeout: 7437 use: 1

Related Articles


Back to Top


We're sorry to hear that!