Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Double NAT outbound over IPSec

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 592 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fifty_bellies
      last edited by

      I have multiple sites that were setup before me. They all use the same private address on the LAN side - 192.168.0.0/24

      I need to bring up an IPSec VPN connection to a remote CIsco box. No problems here - site one connected and running fine.

      The problem starts when I try to bring up site 2 as it has the same "encryption domain" (LAN subnet) as site 1. Is there any way I can NAT the private address before it hits the IPSec tunnel? Something like:

      LAN (192.168.0.1) ----> 192.168.0.254 (netgate LAN) ---> OUTBOUND NAT (192.168.155.0.1) ----> IPSec Tunel <----- Cisco Concat.

      This would perform 2 translations allowing the Cisco box to see the unique subnet of 192.168.155.0.0/24 (thus, avoiding any conflicts). Is this "do-able" and if so, any pointers?

      thanks

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @fifty_bellies
        last edited by

        @fifty_bellies
        You can do this by entering the desired translation network in the phase 2 at "NAT/BINAT translation".

        However, consider that on the remote site you have also to replace the remote network with the NAT network.

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.