EdgeRouter - IPsec Site-to-Site VPN with Many-to-One Source NAT

Overview


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN while also translating the internal subnet range using Many-to-One Source NAT (Network Address Translation). This type of setup is needed when IPsec peers only exchange a single address over the VPN. This address is then used by Source NAT to translate the entire internal subnet to a single address. This type of NAT configuration is often referred to as Many-to-One NAT, PAT (Port Address Translation), Masquerade or NAT Overload.

book_25x25white.png

NOTES & REQUIREMENTS:

Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.

 

Equipment used in this article:

EdgeRouter-4 (ER-4)

- Test clients

Table of Contents


  1. Network Diagram
  2. Steps: Policy-Based VPN with Many-to-One Source NAT
  3. Steps: Testing & Verification
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouters:

ER-R

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • NAT address - 169.254.255.1

ER-L

  • eth0 (WAN) - 192.0.2.1
  • eth1 (LAN) - 172.16.1.1/24


Steps: Policy-Based VPN with Many-to-One Source NAT


Back to Top

For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.

The ports and protocol that are relevant to IPsec are:

  • UDP 500 (IKE)
  • Protocol 50 (ESP)
  • UDP 4500 (NAT-T)

The type of VPN that will be created is called a Policy-Based VPN which uses remote and local subnets, otherwise known as proxy IDs. These values need to match exactly between the two peers and need to be mirror images of each other. Only the prefixes defined in the proxy IDs will be carried over the tunnel. In this case, the proxy ID for ER-R will be a single address (169.254.255.1), which will be used to translate the 192.168.1.0/24 range.

 

There are NAT four address types, which can be viewed in the NAT translation table:

  • Pre-NAT source - The local IP address before NAT translation
  • Post-NAT source - The local IP address after NAT translation
  • Pre-NAT destination - The remote IP address before NAT translation
  • Post-NAT destination - The remote IP address after NAT translation
show nat translations source detail  
Pre-NAT src          Pre-NAT dst        Post-NAT src         Post-NAT dst     
192.168.1.10:3712    172.16.1.10:3389   169.254.255.1:3712   172.16.1.10:3389 
192.168.1.11:1058    172.16.1.10:3389   169.254.255.1:1058   172.16.1.10:3389

In the example, only ER-R will be using NAT to translate the internal subnet range. Therefore, the destination address (server at 172.16.1.10) will be the same pre-NAT/post-NAT IP address. The source address will change from 192.168.1.10 and 192.168.1.11 to 169.254.255.1 and a random port. The configuration below will primarily focus on ER-R.

 

GUI: Access the Graphical User Interface.

1. Define the IPsec peer and Security Associations (SAs) on ER-R (replace <secret> with your desired passphrase).

VPN > IPsec Site-to-Site > +Add Peer

  • Show advanced options
  • Uncheck: Automatically open firewall and exclude from NAT
Peer: 192.0.2.1
Description: IPsec
Local IP: 203.0.113.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 169.254.255.1/32
Remote subnet: 172.16.1.0/24
warning_25x25white.png ATTENTION: It is important to not check the box that automatically excludes the IPsec traffic from NAT. Custom NAT/firewall rules will be created later on that serve this purpose. The automatic exclusions take priority over all custom created firewall rules and need a reboot to be completely removed (if previously enabled).

2. Define the IPsec peer and Security Associations (SAs) on ER-L (replace <secret> with your desired passphrase).

VPN > IPsec Site-to-Site > +Add Peer

  • Show advanced options
  • Automatically open firewall and exclude from NAT
Peer: 203.0.113.1
Description: IPsec
Local IP: 192.0.2.1
Encryption: AES-128
Hash: SHA1
DH Group: 14
Pre-shared Secret: <secret>
Local subnet: 172.16.1.0/24 
Remote subnet: 169.254.255.1/32

 

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Add firewall rules for the IPsec traffic to the local firewall policy.

set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description IKE
set firewall name WAN_LOCAL rule 30 destination port 500
set firewall name WAN_LOCAL rule 30 log disable
set firewall name WAN_LOCAL rule 30 protocol udp

set firewall name WAN_LOCAL rule 40 action accept
set firewall name WAN_LOCAL rule 40 description ESP
set firewall name WAN_LOCAL rule 40 log disable
set firewall name WAN_LOCAL rule 40 protocol esp

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description NAT-T
set firewall name WAN_LOCAL rule 50 destination port 4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

set firewall name WAN_LOCAL rule 60 action accept
set firewall name WAN_LOCAL rule 60 description IPsec
set firewall name WAN_LOCAL rule 60 source address 172.16.1.0/24
set firewall name WAN_LOCAL rule 60 destination address 192.168.1.0/24
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 ipsec match-ipsec
info_i_25x25white.png

NOTE: Make sure that this rule does not override any existing firewall policies! The name of the local firewall policy applied to the WAN interface might be different in your environment. Whatever the naming scheme, make sure that the correct firewall rule is applied under the WAN interface.

3. Add a firewall rule for the IPsec traffic to the inbound firewall policy.

set firewall name WAN_IN rule 60 action accept
set firewall name WAN_IN rule 60 description IPsec
set firewall name WAN_IN rule 60 source address 172.16.1.0/24
set firewall name WAN_IN rule 60 destination address 192.168.1.0/24
set firewall name WAN_IN rule 60 log disable
set firewall name WAN_IN rule 60 ipsec match-ipsec

4. Add the source NAT rule that translates the internal range to the VPN address.

set service nat rule 5000 destination address 172.16.1.0/24
set service nat rule 5000 outbound-interface eth0
set service nat rule 5000 protocol all
set service nat rule 5000 outside-address address 169.254.255.1
set service nat rule 5000 source address 192.168.1.0/24
set service nat rule 5000 type source
info_i_25x25white.png

NOTE: Make sure that this rule takes priority over any other NAT rules (such as the NAT masquerade rule). The default NAT masquerade rule has a priority (rule number) of 5010.

5. Commit the changes and save the configuration.

commit ; save

Steps - Testing & Verification


Back to Top

1. Verify the IPsec Security Associations (SAs) and tunnel status.

show vpn ipsec sa
peer-192.0.2.1-tunnel-1: #1, ESTABLISHED, IKEv1, f0d42011e491a7fc:f2d389c0ae8cd615

  local  '203.0.113.1' @ 203.0.113.1
  remote '192.0.2.1' @ 192.0.2.1
AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
established 76s ago, reauth in 28005s
peer-192.0.2.1-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
installed 76 ago, rekeying in 2562s, expires in 3526s
in c1f5b727, 180 bytes, 3 packets, 70s ago
out cb2e250b, 180 bytes, 3 packets, 70s ago
    local  169.254.255.1/32
    remote 172.16.1.0/24
info_i_25x25white.png

NOTE: If there is no (or only partial) output, the tunnel is not established. Remember that these types of tunnels will only establish if you sent relevant traffic over the link (sourced from a host behind the EdgeRouter). 

 

Verify that the in and out traffic counters are increasing at the same time, and that the remote and local subnets are listed in the output.

sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64):
  uptime: 73 seconds, since Jan 01 09:36:38 2015
  malloc: sbrk 376832, mmap 0, used 272464, free 104368
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
Listening IP addresses:
  203.0.113.1
  192.168.1.1
Connections:
peer-192.0.2.1-tunnel-1:  203.0.113.1...192.0.2.1  IKEv1
peer-192.0.2.1-tunnel-1:   local:  [203.0.113.1] uses pre-shared key authentication
peer-192.0.2.1-tunnel-1:   remote: [192.0.2.1] uses pre-shared key authentication
peer-192.0.2.1-tunnel-1:   child:  169.254.255.1/32 === 172.16.1.0/24 TUNNEL
Routed Connections:
peer-192.0.2.1-tunnel-1{1}:  ROUTED, TUNNEL
peer-192.0.2.1-tunnel-1{1}:   169.254.255.1/32 === 172.16.1.0/24
Security Associations (1 up, 0 connecting):
peer-192.0.2.1-tunnel-1[1]: ESTABLISHED 58 seconds ago, 203.0.113.1[203.0.113.1]...192.0.2.1[192.0.2.1]
peer-192.0.2.1-tunnel-1[1]: IKEv1 SPIs: f0d42011e491a7fc_i* f2d389c0ae8cd615_r, pre-shared key reauthentication in 7 hours
peer-192.0.2.1-tunnel-1[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
peer-192.0.2.1-tunnel-1{1}:  INSTALLED, TUNNEL, ESP SPIs: cf68a51c_i c012b202_o
peer-192.0.2.1-tunnel-1[1]: AES_CBC_128/HMAC_SHA1_96, 180 bytes_i (3 pkts, 82s ago), 180 bytes_o (3 pkts, 83s ago)
peer-192.0.2.1-tunnel-1{1}:   169.254.255.1/32 === 172.16.1.0/24

2. Verify the IPsec strongSwan configuration file.

sudo cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl


config setup

conn %default
        keyexchange=ikev1

conn peer-192.0.2.1-tunnel-1
        left=203.0.113.1
        right=192.0.2.1
        leftsubnet=169.254.255.1/32
        rightsubnet=172.16.1.0/24
        ike=aes128-sha1-modp2048!
        keyexchange=ikev1
        ikelifetime=28800s
        esp=aes128-sha1-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever
#conn peer-192.0.2.1-tunnel-1

3. Capture the IKE traffic on the WAN interface.

sudo tcpdump -i eth0 -n udp dst port 500   
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 I ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 R ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 I ident[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 R ident[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others R oakley-quick[E]
info_i_25x25white.png

NOTE: This is a live capture. If there is no output that means that the traffic is either not being generated by the peer(s), or there is something blocking the traffic upstream.

4. Capture and analyze the IPsec VPN log messages.

sudo swanctl --log
15[KNL] creating acquire job for policy 169.254.255.1/32[icmp] === 172.16.1.10/32[icmp] with reqid {1}
15[IKE] initiating Main Mode IKE_SA peer-192.0.2.1-tunnel-1[1] to 192.0.2.1
15[ENC] generating ID_PROT request 0 [ SA V V V V ]
13[ENC] parsed ID_PROT response 0 [ SA V V V ]
13[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
10[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
06[ENC] parsed ID_PROT response 0 [ ID HASH ]
06[IKE] IKE_SA peer-192.0.2.1-tunnel-1[1] established between 203.0.113.1[203.0.113.1]...192.0.2.1[192.0.2.1]
06[ENC] generating QUICK_MODE request 3622515205 [ HASH SA No ID ID ]
10[ENC] parsed QUICK_MODE response 3622515205 [ HASH SA No ID ID ]
10[IKE] CHILD_SA peer-192.0.2.1-tunnel-1{1} established with SPIs and TS 169.254.255.1/32 === 172.16.1.0/24
info_i_25x25white.png

NOTE: This is also live capture. If there is no output that means that the traffic is either not being allowed through the firewall. Alternatively, you can use the show vpn log | no-more command to view the entire IPsec log history.

5. Verify that the traffic is increasing the counters on the IPsec firewall rules.

show firewall name WAN_IN statistics 
--------------------------------------------------------------------------------
IPv4 Firewall "WAN_IN"  [WAN to internal]
 Active on (eth0,IN)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    91          5440        ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
60    3           180         ACCEPT  IPsec
10000 232         13920       DROP    DEFAULT ACTION

show firewall name WAN_LOCAL statistics
--------------------------------------------------------------------------------
IPv4 Firewall "WAN_LOCAL"  [WAN to router]
 Active on (eth0,LOCAL)

rule  packets     bytes       action  description
----  -------     -----       ------  -----------
10    657         62520       ACCEPT  Allow established/related
20    0           0           DROP    Drop invalid state
30    2           372         ACCEPT  IKE
40    10          1240        ACCEPT  ESP
50    0           0           ACCEPT  NAT-T
60    0           0           ACCEPT  IPsec
10000 0           0           DROP    DEFAULT ACTION

6. Verify the NAT statistics and the translation table.

show nat statistics 
rule  count       type  IN        OUT       description
----  ----------  ----  --------  --------  -----------
5000  1           SRC   -         eth0     
5010  7           MASQ  -         eth0      masquerade for WAN

show nat translations source detail 
Pre-NAT src          Pre-NAT dst        Post-NAT src         Post-NAT dst     
192.168.1.10:3712    172.16.1.10:3389   169.254.255.1:3712   172.16.1.10:3389 
  tcp: snat: 192.168.1.10 ==> 169.254.255.1  timeout: 52 use: 1
192.168.1.11:1058    172.16.1.10:3389   169.254.255.1:1058   172.16.1.10:3389
  tcp: snat: 192.168.1.11 ==> 169.254.255.1  timeout: 7437 use: 1

Related Articles


Back to Top