We currently have IPSEC tunnels connecting our offices, but I have new supplier that I need to connect to with IPSEC. Due to nature of supplier they deal with lots of customers using 192.168.x.x subnets, so we have been asked to NAT the packets.
I am having trouble with this, and was wandering if anyone has done this before, or has knowledge of the procedure to undertake.
My LAN: 192.168.5.x
Supplier LAN: 195.x.x.x
I have successfully created an IPSEC connection between our Mikrotik router and our suppliers CISCO router, but supplier sees packets on he’s LAN from 192.168.5.x, and therefore tries to reply to our LAN addresses, whereas he need to see packets from our public IP - In essence we need to perform some sort of Masquerade over the IPSEC tunnel?
Ok, what I have done in some really necessary cases, I do not use any NAT from LAN to LAN, but put another router connected to LAN interface of the customer and there you NAT packets from the PCs, so the LAN to LAN communication is not NATed.
I’m still getting into IPSec, but it doesn’t sound like masquerading is the issue. That’s just to allow internal IPs to use one external IP.
It sounds more like your IPSec config is incorrect, in other words you’ve stipulated your LAN network address in place of your external IP.
Packets originating from your network should in fact have the source IP address of the VPN tunnel end point at the supplier’s end (like 195.x.x.1). So when he replies to that address, it gets back to you properly. You’ll probably need a NAT helper (NAT-T) on your end though. IPSec with ESP works ok but not with AH.
In order to Hide the LAN address, I created the Policy with the src Address as our Public IP (the same as the SA src Address), then in NAT performed a masquerade on packets destined for the remote LAN.