Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 765 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Natting S2S ipsec /30 leftsubnet to /24 Internal_Network

bue-gmbh Budnick

Hello Sirs,
that are my first steps with XG210.
For the ipsec VPN tunnels to our customers, we agreed on having our local subnet masqed as a small subnet like leftsubnet=172.25.3.8/30.
In our old firewall, this resulted in our customer seeing us as 172.25.3.9/32. Thus, he could access a https service with this IP on our site.

I want to transfer this tunnels to the XG210, and I do not want to negotiate tunnel details again.
Most of the tunnels work as before, when I assign something like 172.25.3.9/32 to the "local network" and NAT this to "Internal_Network" (/24).
In this case the tunnel comes up AND I can access the "remote network" (i.e. ping a remote IP).

In one case the tunnel wont come up. So, I assign exactly the network, we agreed on (i.e. 172.25.3.8/30). Now, the tunnel comes up.
The route lookup for an IP in the remote network resolves to "...  is located on the ipsec0" as expected.
However, a Ping to this IP is routed to Port2 (internet) and thus never comes back.
Why?

Do I really have to renegotiate the tunnel details with my customer, or can I translate that in any way?


Best regards to all from Germany
Frytz



This thread was automatically locked due to age.
Parents
  • +1

    Hi  

    AFAIK 172.25.3.8/30 will be able to do NAT with you  "Internal_Network" (/30) machines only over the IPSec.

    Due to this reason If traffic will be generated for remote IPsec destination via other host or machines which are part of "Internal_Network" (/24) and not getting covered within /30 then traffic will be forwarded to Internet.

    With same setup settings you may give a try with below additional settings if that will help to fix this issue :

    ================

    1) Please add manual IPsec route on XG for remote LAN network or server which you are accessing over IPSec VPN.

    console> system ipsec_route add host <IP Address of host> or network  tunnelname <tunnel>

    2) Please add LAN to VPN rule with custom NAT with IP 172.25.3.9/32 as that will NAT traffic for other machines which is not getting covered in IPSec NAT.

    Note: After adding ipsec manual route please off and on the tunnel once and then check the PING from LAN machines again to verify the packets going out via ipsec0 under GUI packet capture utility. 

  • 0 in reply to Vishal_R

    Hello Sir,

    Runs like a charm. You made my day.

    (In fact, I already had executed Step 2 without success, as I was missing the additional routing)

    Thank you.

    Best regards

    Frytz

  • 0 in reply to bue-gmbh Budnick

    Hi  

    Thanks for the update and I am glad to hear that your issue has been fixed with the provided steps.

Reply Children
No Data