IpSec NAT 2 local subnet

NRG · June 24, 2010, 5:08pm

Hi, I have problem with configure IPSEC:

Company 1:
WAN: 1.1.1.1
LOCAL: 192.168.55.0/24

Company 2:
WAN: 2.2.2.2
LOCAL 1: 172.23.28.0/24
LOCAL 2: 10.101.10.0/24

Tunnel between COMPANY 1 and COMPANY 2 with creates and functions. Form tunnel from COMPANY 1 to the COMPANY 2, but only LOCAL 1 or LOCAL 2. And I need tunnel LOCAL 1 and LOCAL 2 on the side COMPANY 2 to functioned ping on the part of COMPANY 1. Please, how?

Thank

bafh · June 28, 2010, 5:17pm

add routes

reddaddy32 · December 29, 2010, 2:28pm

Can someone explain how this would be done, using NAT traffic is only passed to the network that is in the 0 spot (top) but not the one that is right below it in the #1 spot. So using above as an example LOCAL 1: 172.23.28.0/24 will ping if its in spot 0 and LOCAL 2: 10.101.10.0/24 will not, but if i switch the spots in the NAT the results switch.

fewi · December 29, 2010, 2:42pm

Why are you NATing across a VPN? Unless you have overlapping IP ranges it is considerably easier and cleaner to just route traffic.

reddaddy32 · December 29, 2010, 9:06pm

Could someone point me to something that tells me how to do it though routes? everything i read says to uses source-nat.

fewi · December 29, 2010, 9:27pm

You just need routes pointing to the remote subnets via the remote tunnel IP address. If you’re using IPsec you will, of course, also need IPsec policies that select that traffic for encapsulation; if you’re using PPTP or L2TP encapsulation happens automatically as the traffic leaves through the tunnel interface. Those routes could be static, or dynamic (though dynamic routing protocols are more difficult through IPsec tunnels as IPsec doesn’t do multicast or broadcast traffic, which virtually all IGPs use).

reddaddy32 · December 30, 2010, 9:56pm

I guess i am at a loss, does someone know where i would put that, or point me to something that would describe it to me more clearly?

reddaddy32 · December 31, 2010, 7:50pm

I am using an ipsec tunnel, the policies are in place to push traffic through the tunnel to 200.200.200.0/24 and another policy to 10.0.0.1, the 10.0.0.1 policy will ping but the 200.200.200.0 policy never pings unless i disable the 10. policy and reboot the router, than the 200 one pings and the 10 does not, but if i turn the 10 back on the 200 goes down and the 10 goes back up.