Routing OpenVPN-Connection over NATed IPsec

  • Hi!

    I am confronted with a problem regarding a connection from one of our branch offices over our main office network.

    Following scenario:
    Site A (branch office)
    Site B (main office)
    Site C (customer)

    There is an OpenVPN-S2S-Tunnel that connects Site A to Site B, which works just fine. Site A uses as LAN, with as tunnel network for OpenVPN.

    Site B is connected to the network of a customer via IKEv2-Tunnel. Phase 2 of the tunnel routes from a main office LAN ( to the remote network (, using a NAT translation to the address, so that all traffic originates from this address. I know that this removes the possibility to initiate connections from the remote side, but this is not required.

    What I want to do now is to enable our branch office network ( to access the network via our IKEv2-connection, without changing the configuration of our IKEv2-Tunnel. Normally, I would just create another Phase 2 that just NATs the network to that specific address, but if I remember correctly, this would break our tunnel if the customer does not change the configuration to the Phase 2 on his side as well, as the configs are not the same and IKEv2 being very picky about the configs being the exact same on both sides. Therefore, we want to avoid changing the configuration altogether, as we have no control over the customers router.

    My approach here would be to create a route on the branch office router that sends all traffic for the network over (the OpenVPN gateway to our main office). After that, I think I would need to NAT the connection from a network to an address from the address space, so that another NAT, namely the one already configured for the ...104.0/24 network in the Phase 2 of the tunnel, can take effect.

    This means I would need a first inbound NAT rule that looks something like this :
    Port Forward
    Source Address Ports * -> Dest. Address Ports * / NAT IP 192.168.104.x Ports *

    Which should then lead to the NAT rule configured in the P2 to take effect, which should then NAT the 192.168.104.x address to and making a connection possible.

    I have not tried this setup yet, and wanted to know if there are any general flaws in my process of thought here, or if this setup does work at all? Any input is greatly appreciated!

Log in to reply