This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site VPN with NAT-T at both ends

Hi there

I'm trying to set up a IPSec VPN with NAT-T at both ends. Can this be done? I have looked at the forums but it seems to be an ongoing problem.

LAN--ASL--Router with NAT----www----Router with NAT--ASL---LAN

Both routers are port-forwarding all IP traffic and all protocols to the Astaro external interfaces.

I have tried with PSK. Has anyone achieved this??

This thread was automatically locked due to age.

Parents

0 Itos over 20 years ago

Hello,

it is easier then it looks like.

you need an stuff IP or a dyndns account on both sides.

Then read this from knowledgebase:
IPSec Net to Net VPN with RSA How-To

When you use "auto" in packte filter you didn't need any additionell configurations.

Ti
Cancel
Vote Up 0 Vote Down

Cancel
0 Gpenne over 20 years ago in reply to Itos

Depends on how you look at it of course.
I see two issues:
1) you cannot use the Astaro dyndns because it takes the address of the external interface and publishes it to dydns-server. You will end up with private IPs in the DNS.
Not good, been there already :-(
--> can be solved with custom dyndns update script
2) If either IP changes AND dns is not updated immediately AND IPSEC negotiatons occur, you lose connectivity.

Gpenne
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Gpenne over 20 years ago in reply to Itos

Depends on how you look at it of course.
I see two issues:
1) you cannot use the Astaro dyndns because it takes the address of the external interface and publishes it to dydns-server. You will end up with private IPs in the DNS.
Not good, been there already :-(
--> can be solved with custom dyndns update script
2) If either IP changes AND dns is not updated immediately AND IPSEC negotiatons occur, you lose connectivity.

Gpenne
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data