Expired

V. VPN (Virtual Private Networking)

Expired

How to NAT IPsec VPN traffic?

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2763
Show all

Keywords:
IPsec
NAT
NAT VPN
VPN

Vigor Routers can present VPN traffic with a chosen IP address thanks to VPN NAT translation capabilities. This allows the remote network to see traffic coming from a single specified IP address. This is needed where the VPN server uses one network for creating an IPsec tunnel, but the firewall policy allows only a specified IP address to access their local network. The diagram below depicts this topology in detail:

kb nat vpn 00

where:

  • Head Office Local Network IP range is 192.168.188.1/24
  • Vigor Router Local Network IP range is 192.168.1.1/24
  • Head Office Router only allows traffic from 172.16.2.129

VPN Client Router Setup

1. Go to [VPN and Remote Access] > [LAN to LAN] and open an index to create a VPN profile

kb nat vpn 01

2. In the profile's Common settings section enter the following:

  1. Populate the Profile Name
  2. Enable this profile
  3. Select the WAN interface
  4. Select Dial-Out for Call Direction
  5. (Optional) Tick Always On

kb nat vpn 02

Scroll down to Dial-Out Settings section:

  1. Select IPsec Tunnel
  2. Enter VPN server's WAN IP or a domain name
  3. Input IKE Pre-Shared Key to match one used on the VPN server

kb nat vpn 03

In the last section - TCP/IP Network Settings:

  1. Enter the IP address expected by your VPN server in My WAN IP (In this example we have used 172.16.2.129)
  2. Populate Remote Network IP with VPN server’s LAN network
  3. Select NAT
  4. Click OK

kb nat vpn 04

3. Go to [VPN and Remote Access] > [Connection Management] and click Dial.

kb nat vpn 05

VPN Server Expected Results

Here are the different results when the NAT VPN translation settings are disabled, then enabled. To demonstrate how it works in practise:

1. Without the VPN client Local Network translating
The VPN Connection Status shows Virtual Network as VPN Client’s LAN network. In this example this is 192.168.1.1/24 (whole IP range)

kb nat vpn 06

2. With the VPN client Local Network translating
The VPN Connection Status shows Virtual Network as VPN Client’s translated IP address. In this example this is 172.16.2.129/32 (single IP address).

kb nat vpn 07