Site To Site IPSEC Tunnel with NAtting at Branch End

msusmani · October 17, 2019, 3:58pm

Dear Members

Kindly help me out to solve config issue. As per attached diagram I am able to setup IPSEC VPN and it works. Now I have to NAT local network at branch end to connect servers at branch with HQ. I have no control over VPN Router at ISP end. Kindly let me know how to make traffic from branch LAN 172.16.16.0/24 reachable to HQ LAN 192.168.78.0.

Thanks
Muhammad

Sob · October 17, 2019, 5:59pm

Not enough info. With tunnel between HQ router and branch router, for 192.168.78.0/24 on one side and 172.16.16.0/24 on the other, it should just work. The only thing you need is to exclude traffic from 172.16.16.0/24 to 192.168.78.0/24 from main srcnat/masquerade. Or is the config in any way different?

msusmani · October 17, 2019, 6:53pm

Thanks for your prompt response. A bit of typo error in diagram .Site to site IPSEC Tunnel is established between HQ and ISP core router. Any traffic coming from 192.168.78.0/24 is reachable to 10.126.192.160/28 i.e ISP end. Now ISP routes this traffic on their media and branch is getting IP 10.126.192.160 on branch end .Users at branch are have their LAN on Network 172.16.16.0/24 so we need to do a NAT here so that users sitting at 172.16.16.0/4 must be able to reach 192.168.78.0/24 and 192.168.78.0/24 must be able to reach 172.16.16.0/24. I have no control on ISP router so can make changes on branch and HQ routers only.

Thanks Muhammad

Sob · October 17, 2019, 7:58pm

To access HQ from branch, you can do this:

/ip firewall nat
add chain=srcnat src-address=172.16.16.0/24 dst-address=192.168.78.0/24 action=src-nat to-addresses=10.126.192.162

To access branch from HQ, you need help from someone else. First the tunnel needs to know about 172.16.16.0/24 and be able to transport packets to and from it. And same goes for ISP router.

msusmani · October 18, 2019, 6:47am

Thanks for your prompt response and support I am able to reach branch office . Now from branch to HQ can you suggest which option will work. Should I go with filter rule or NAT rule or should I define VPN policy at HQ and ISP VPN routers.

Sob · October 18, 2019, 12:07pm

Clean solution is to make everything aware of 172.16.16.0/24. So add another policy to tunnel (192.168.78.0/24 ↔ 172.16.16.0/24) and add route to it on ISP router (destination 172.16.16.0/24, gateway 10.126.192.162). Then everything will work directly and you won’t even need the NAT rule you just added.

Without it, there’s not much you can do. If HQ, tunnel or ISP router don’t know about 172.16.16.0/24, no direct connections are possible. You could only forward ports from 10.126.192.162 to 172.16.16.x.