Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 2611 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN with a NATed tunnel

glch

Hey all, I'm mostly familiar with the SG firewalls but due to having a requirement for IKEv2 we're using an XG for a VPN connection. One of the requirements for this VPN is that it will require full NAT on our side, or where the tunnel is only connecting through a single IP, and performing NAT for the internal clients. I wanted to make sure I've got my configuration correct before our testing this weekend. I've attached a copy of that config below.

The way I'm expecting this to work is when the tunnel comes up, the remote side will only see traffic coming from 10.51.96.50, and when they send traffic back, the XG will deliver the traffic to the appropriate internal host via NAT (Local LAN is 10.51.95.0/24). They have the same setup on their end, so the "remote subnet" section is a single client IP rather than a network or a host range.

Does this look like it would work as planned?

 



This thread was automatically locked due to age.
Parents
  • +1

    Should work, if those objects are correct.

    Keep in mind, you have to build up the SA with local / remote subnet. 

    So the other gateway product has to reverse them. 

  • 0 in reply to LuCar Toni

    Lucar,

    During a pre-call today, the vendor mentioned they could not accept a private IP for the encrypted domain (local subnet) and requires a WAN IP. I've adjusted that host in my XG and now I'm using one of my other WAN IPs. Is there any "gotcha" to this or should everything still work as intended. I haven't done anything except created this WAN IP under "Hosts and Services" on my firewall.

    I appreciate the help on this.

  • 0 in reply to glch

    They demand to use a WAN IP in a IPsec Tunnel?

    Sounds interesting. And also "very special.." 

    Never tried this before, if you can, maybe you should simulate this with another firewall. 

    Maybe this will cause some kind of routing issue in Iptables, but i am not sure. 

  • 0 in reply to LuCar Toni

    Lucar,

    Everything went off without any issues during out cutover. I was surprised at how easy this was to configure in the XG. Thanks for the assistance and assurance!

Reply Children
No Data