DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Same subnet IPSec with NAT
- faris
- Topic Author
- User
-
06 Jun 2019 19:02 #1
by faris
Same subnet IPSec with NAT was created by faris
I'm having a terrible time getting a customer's 3220 to talk a supplier's network over an IPSec VPN. The problem appears to be a combination of lack of NAT and both ends possibly being in overlapping subnets.
Please can someone help?
On the 3220:
WAN IP: 192.168.10.2 - this is connected to a BT ADSL Hub which is on .1
LAN IP: 192.168.0.1 (/24) - Local PCs connected to this.
The VPN I'm trying to set up is a IPSec IKEv1 link.
The supplier the customer is connecting to specifies that:
Remote IP must be set to: 55.0.0.0/8 (example IP - not the real one, but netmask is real)
Local IP must be set to 55.123.123.123/32 (example IP - not the real one, but netmask is real)
>> And that we must NAT behind 55.123.123.123 as this is the only IP that from which traffic will be accepted <<
With the correct Server IP and pre-shared key and IKE settings configured, if I plug all the specified IPs and netmasks into the VPN's TCP/IP settings section, the VPN authenticates and links. A Static Route is automatically created routing 55.0.0.0/8 via the Server IP specified in the VPN config.
But I can't pass any traffic over the VPN. Not so great.
If I select NAT instead of Route in the VPN settings, the VPN won't negotiate. I think it fails Phase2.
I've tried adding a Policy Route for 55.0.0.0/8 over the VPN but that didn't help. And the "Force NAT" option vanishes when you select an IP range for the route.
I tried adding 55.123.123.123/32 as an additional LAN (had to use CLI because you can't select /32 in the GUI), plus inter-lan linking, plus trying other netmasks, but still no traffic passes.
I then started wondering if this situation is classed as a "same subnet". Just in case, I read the various Draytek guides about setting up IPSec VPNs where both sides are on the same subnet. But they do not help me in this situation, because the idea is to use virtual subnets that do not overlap, and enter those as the Local and Remote IPs. I cannot do this here, because the Local and Remote subnets cannot be changed, and even if I tick the "same subnet" box and treat 55.123.123.123/32 as a virtual IP, it still overlaps with 55.0.0.0/8.
And overall, the matter of the NATing still bothers me. I don't see a way to achieve it. I had expected the NAT option in the VPN settings to just work (like it does for PPTP), but it obviously changes something fundamental enough for the VPN negotiation to fail.
Heeeelp please
Please can someone help?
On the 3220:
WAN IP: 192.168.10.2 - this is connected to a BT ADSL Hub which is on .1
LAN IP: 192.168.0.1 (/24) - Local PCs connected to this.
The VPN I'm trying to set up is a IPSec IKEv1 link.
The supplier the customer is connecting to specifies that:
Remote IP must be set to: 55.0.0.0/8 (example IP - not the real one, but netmask is real)
Local IP must be set to 55.123.123.123/32 (example IP - not the real one, but netmask is real)
>> And that we must NAT behind 55.123.123.123 as this is the only IP that from which traffic will be accepted <<
With the correct Server IP and pre-shared key and IKE settings configured, if I plug all the specified IPs and netmasks into the VPN's TCP/IP settings section, the VPN authenticates and links. A Static Route is automatically created routing 55.0.0.0/8 via the Server IP specified in the VPN config.
But I can't pass any traffic over the VPN. Not so great.
If I select NAT instead of Route in the VPN settings, the VPN won't negotiate. I think it fails Phase2.
I've tried adding a Policy Route for 55.0.0.0/8 over the VPN but that didn't help. And the "Force NAT" option vanishes when you select an IP range for the route.
I tried adding 55.123.123.123/32 as an additional LAN (had to use CLI because you can't select /32 in the GUI), plus inter-lan linking, plus trying other netmasks, but still no traffic passes.
I then started wondering if this situation is classed as a "same subnet". Just in case, I read the various Draytek guides about setting up IPSec VPNs where both sides are on the same subnet. But they do not help me in this situation, because the idea is to use virtual subnets that do not overlap, and enter those as the Local and Remote IPs. I cannot do this here, because the Local and Remote subnets cannot be changed, and even if I tick the "same subnet" box and treat 55.123.123.123/32 as a virtual IP, it still overlaps with 55.0.0.0/8.
And overall, the matter of the NATing still bothers me. I don't see a way to achieve it. I had expected the NAT option in the VPN settings to just work (like it does for PPTP), but it obviously changes something fundamental enough for the VPN negotiation to fail.
Heeeelp please
Please Log in or Create an account to join the conversation.