Chaining VPNs using Phase2 NAT

  • Good afternoon,

    I'm about to attempt sharing connectivity of a service that's provided to us from a 3rd party to our HQ to our remote offices.
    We have tunnels to our HQ from each location and the VPN to our external service uses Phase 2 NATing

    I'm not sure about the best way to do this.

    I'm thinking that I could extend the local subnet range in the phase 2 config of IPSEC5 to include all the subnets.
    However… the remotes are 192's whereas HQ's are 10's, so that would be one massive range.

    Am I able to NAT traffic from the remote sites to a reserved IP within the 10 range (at the HQ) and set static routes (at the remote sites) making it look like they are part of the HQ network ?

    RemoteOffice1 <=IPSEC1=> HQ <=IPSEC5/Phase2NAT=> ExternalService
    RemoteOffice2 <=IPSEC2=> HQ <=IPSEC5/Phase2NAT=> ExternalService
    RemoteOffice3 <=IPSEC3=> HQ <=IPSEC5/Phase2NAT=> ExternalService

    I'm not sure... any suggestions would be appreciated.


  • Banned

  • Unfortunately I don't have access to the VPN for the external source (so creating additional phase 2 tunnels isn't possible).
    I could put in a change request but that leads to a game of Chinese whispers, wrong departments, not allowed to speak direct and then eventually get it resolved 6 months later.

    The VPN to the external service already has Phase 2 NATing so our local subnets appear as a different range to them.

    If all of the remote sites were on 10 ranges then I could just extend the the local subnet on our endpoint of the external service vpn and set routes for the remote offices. (Unless IPSec wouldn't support it)

  • O o o…. Would this work ?

    Using just one site as an example
    If I extend the local subnet range of IPSEC5/Phase2NAT to include the NAT'd range of IPSEC2/Phase2NAT whilst making an additional tunnel for the remote site.

    Something like...

    RemoteOffice1 <=IPSEC1=> HQ <=IPSEC5/Phase2NAT=> ExternalService
    RemoteOffice1 <=IPSEC2/Phase2NAT=> HQ <=IPSEC5/Phase2NAT=> ExternalService


Log in to reply