VPN SITE to SITE with NAT

Riccardo Prandini

Hello, this is the usual question with NAT to avoid overlapping lan.

I'm in a software house , we made software. Recently with covid, like many, we had to move from client site to remote site. The client is a big Company.

They have PaoloAlto / Cisco router to manage more than 3000 people conncted in remote.

To the sofware houses they offer a Site to Site connection via IPSEC .

We have public IP on both side.

(our local-subnets)----(172.21.0.0/16)vlanX[FIREWALL]wan(192.168.0.2)----(192.168.0.1)ISP-Router(188.218.123.123)-----{internet}----(62.97.2.6)wan[Remote-GW-Peer]lan----(remote-subnets)

They give us this informations to establish the tunnel:

Public GW 62.97.2.6
Phase1 AES256-SHA lifetime 86400
Phase2 AES128-SHA1 DH2 Lifetime 28800 PFS no

To route the packet the told us:

If you need to reach an ip in these subnets

10.100.9.0/24
10.209.32.0/24
10.209.12.0/24
10.209.21.0/24
10.210.21.0/24
10.209.40.0/24
10.211.12.0/24
10.211.40.121/32
10.209.24.0/24

Go thru IPSEC tunnel and present yourself as 10.201.123.123.

-------------------------------------A BRIEF HISTORY------------------------------------------------

Our first approach was to use a Zyxel (very easy to config... also for a programmer )

We have created the site to site tunnel one for each subnet.... after second tunnel (i think the have a limit) continuous disconnection.
So we moved to VTI it is working from 1 year but it has not so nice performance and tends to loose packets sometimes.

Before moving to Fortigate /PaoloAlto / Cisco (we have tested a RV series and tanks to cisco support we have established that we need ASA), we have tested RouterOS(no support) IPFire(No support) now we are giving a try to PFsense.

---------------------------------------END OF HISTORY----------------------------------------------

In PFSense It was easy to make it our DHCP, Make it the main DNS server all is ok for the moment to navigate and use it in the LAN.

Now we are at the VPN step.

I have created the rule following the giude.
alt text

alt text

I can establish the tunnel but i can't se the traffic going into it (I don't know if there is a monitor inside pf ) on the other side(big company) ping is disabled and the don't give support

alt text

Another small company of friends uses libreswan they have this configuration everything is inside them server

authby=secret
type=tunnel
aggrmode=no
keyexchange=ikev1
ike=aes256-sha1;modp1024
ikelifetime=86400s
salifetime=28800s
initial-contact=yes
pfs=no
phase2=esp
phase2alg=aes128-sha1;modp1024
leftid=188.218.123.123
left=188.218.123.123
leftsubnet=10.201.123.123
rightid=62.97.2.6
right=62.97.2.6
rightsubnets={ 10.209.32.0/24 10.209.12.0/24 10.209.21.0/24 10.210.21.0/24 10.209.40.0/24 10.211.12.0/24 10.211.40.121/32 10.209.24.0/24 }

What I miss a routing part a firewall rule something wrong in configuration?

viragomann

@riccardo-prandini
Your identifier in P1 should be your public IP of the external router. But obviously the remote server doesn't care about anyway.

In the p2 you should disable AES128-GCM, since it is not provided by the remote site.
The PFS key group has to be set to "2". It might be misleadingly mentioned as DH in the specs.

I don't know if it basically will work when the PAT address lies within the remote network. Since this might be issue, try to split the the remote networks and set up multiple p2. 2 part should be sufficient: 10.208.0.0/14, 10.100.9.0/24.