Chaining VPNs using Phase2 NAT
-
Good afternoon,
I'm about to attempt sharing connectivity of a service that's provided to us from a 3rd party to our HQ to our remote offices.
We have tunnels to our HQ from each location and the VPN to our external service uses Phase 2 NATingI'm not sure about the best way to do this.
I'm thinking that I could extend the local subnet range in the phase 2 config of IPSEC5 to include all the subnets.
However… the remotes are 192's whereas HQ's are 10's, so that would be one massive range.Am I able to NAT traffic from the remote sites to a reserved IP within the 10 range (at the HQ) and set static routes (at the remote sites) making it look like they are part of the HQ network ?
RemoteOffice1 <=IPSEC1=> HQ <=IPSEC5/Phase2NAT=> ExternalService
RemoteOffice2 <=IPSEC2=> HQ <=IPSEC5/Phase2NAT=> ExternalService
RemoteOffice3 <=IPSEC3=> HQ <=IPSEC5/Phase2NAT=> ExternalServiceI'm not sure... any suggestions would be appreciated.
Thanks
-
https://forum.pfsense.org/index.php?topic=86973.0
-
Unfortunately I don't have access to the VPN for the external source (so creating additional phase 2 tunnels isn't possible).
I could put in a change request but that leads to a game of Chinese whispers, wrong departments, not allowed to speak direct and then eventually get it resolved 6 months later.The VPN to the external service already has Phase 2 NATing so our local subnets appear as a different range to them.
If all of the remote sites were on 10 ranges then I could just extend the the local subnet on our endpoint of the external service vpn and set routes for the remote offices. (Unless IPSec wouldn't support it)
-
O o o…. Would this work ?
Using just one site as an example
If I extend the local subnet range of IPSEC5/Phase2NAT to include the NAT'd range of IPSEC2/Phase2NAT whilst making an additional tunnel for the remote site.Something like...
RemoteOffice1 <=IPSEC1=> HQ <=IPSEC5/Phase2NAT=> ExternalService
RemoteOffice1 <=IPSEC2/Phase2NAT=> HQ <=IPSEC5/Phase2NAT=> ExternalServiceThanks