OpenVPN NAT to IPsec

denndsd · Jan 24, 2024, 2:17 PM

Hi,

current setup:

Site A: 10.1.0.0/24
Site B: 192.168.123.0/24
Site C: 172.16.0.0/24

All sites are connected by using the following topology.

Site A > OpenVPN > Site B > IPsec > Site C

Now there is one obstacle left.
We have a printer on Site A that needs to be connected from Site C
We need to NAT all Connections are coming from Site A to Site C by using for example 10.123.2.105/32
The same for connections coming from Site C to Site A

The Firewall on Site B should be NAT these connections.

Site B should connect to Site C by using the netmap address 10.123.1.0/24

On the IPsec phase 2 there are all SAs are defined for natting as local networks.

How can i do that ?
On the internet i couldn't find any informations about it.

Thanks

viragomann · Jan 24, 2024, 2:17 PM

@denndsd
Not clear, what you want to achieve here.

Why NAT? Why don't you just route the traffic?

denndsd · Jan 24, 2024, 2:23 PM

@viragomann

thanks for your reply.
Unfortuanetly thats not possible from the server provider.
So we need to NAT the traffic.

Where i can NAT the traffic coming from site A to Site C ?
That is needed on Site B
But what need i to configure ?

viragomann · Jan 24, 2024, 2:34 PM

@denndsd said in OpenVPN NAT to IPsec:

Where i can NAT the traffic coming from site A to Site C ?

Best to do this at site B in the IPSec phase 2. Add an additional p2 with these network settings:
local: network > 10.1.0.0/24
BINAT: address > 10.123.2.105
remote: network > 172.16.0.0/24

However, you need a p2 at C with the remote network 10.123.2.105/32 then.

How want you nat C to A?

denndsd · Jan 24, 2024, 2:46 PM

@viragomann

yes that was also my idea to nat these at the ipsec.
I think i need the same to the other direction.

Do i also need additional firewall rules on the site b ?

denndsd · Jan 26, 2024, 4:06 PM

I ve tried that.
Unfortunately that should not worked.
IP address 10.1.0.100 on site A should be reachable from site C

Ive set the selected settings on the ipsec vpns
The site A is connected by openvpn to site b.
So is it needed to make some changes on the openvpn tunnel on firewall site b ?

viragomann · Jan 26, 2024, 4:22 PM

@denndsd
At site A you have to route the site C network 172.16.0.0/24 to site B of course, by adding it to the "remote network" in the OpenVPN settings.
At B you need a firewall rule on the VPN interface to pass the traffic.

denndsd · Jan 31, 2024, 8:15 AM

@viragomann

Okay, it doesnt work.

My setup.

Firewall Site A: Openvpn remote net to 192.168.123.0/24 and 172.16.0.0/24
Firewall Site B: Openvpn local network 192.168.123.0/24 172.16.0.0/24
On the virtual IPs Ive added every NAT IP Address as /32 for example 10.123.1.23/32
The rules are from Site A 10.1.0.0/24 -> Site B 192.168.123.0/24 *
Site A 10.1.0.0/24 -> Site C 172.16.0.0/24 *
The Firewall Site B: have defined a Outgoing NAT for connections coming from 172.16.0.0/24 to 10.1.0.23 by using a NAT with the NAT IP 10.123.1.23
And a port forwarding in the other direction.
Thats an example setup for one site with one ip. But is that connect ?
I cant reach the site a from site c with this setup.