IPSEC NAT through virtual subnet
-
Hi
I have been tasked with setting up an ipsec tunnel to a 3rd party supplier (who have a cisco firewall/router) but NATing through an intermediate /28 subnet at our end.
On our lan side we have a /23 and also a /24 OpenVPN subnet for current remote workers.
They have request we NAT to a single IP in the intermediate subnet so my understanding was that I put one of those IP's into the NAT/BINAT section as a /32 on the P2's.
On the remote side there are 3 separate networks so we had 3 x P2's set up.
Using IKEv2 in tunnel mode.In that configuration, Phase 1 is connecting consistently but only one of the phase 2's would connect at any one time. We have the split option enabled.
Having discussed with the 3rd party's senior network guy, he believe we should assign the intermediate subnet to the LAN side of the tunnel for each of the P2's rather than set it under NAT/BINAT. Then NAT our LAN to the intermediate subnet.
Doing it this way we did manage to get more than one P2 to connect at the same time but we didn't see any traffic crossing the tunnel, so I assume the NAT setup is wrong.So my questions,
- does that seem a valid way to do things?
- Do I have to add the the intermediate subnet as virtual addresses (IP Alias or CARP)?
- On the Outbound NAT rule which interface should I select (IPSEC?)
- Is there any other necessary configuration other than a firewall rule?
Any advise appreciated.