Vyatta VC5 - Apply NAT Policies over IPsec Tunnel Mode Site-to-Site VPN Traffic: Part 1 - A Simple Scenario

I don't know what's Vyatta's marketing term for this, but in the bellow lines we will apply NAT policies over IPsec tunnel mode s2s VPN traffic using Vyatta VC5.

Please note that although many VPN gateways are today integrated into a device that also incorporates a firewall, IPS, VPN server, etc, and such devices may support various NAT rules, that does not mean they will have the ability to apply advanced NAT policies over the s2s VPN traffic.
Typically, a VPN gateway may be a able to NAT the s2s VPN traffic using the IP address configured on its external interface(interface which terminates the s2s).
So please check that with your third-party VPN gateway vendor if you want to do the same on this remote VPN gateway.

These advanced NAT policies can help for example in the overlapped subnets scenario(which we will discuss in part two of this article), or just to mask the subnets behind the VPN gateways in a business-to-business scenario(we will do that in the bellow lines).

So, say you have a subnet behind a Vyatta router, 192.168.40.0/24, and an IPsec tunnel mode s2s VPN between this router and a remote router. For convenience, within the bellow lines the remote VPN gateway will be another Vyatta(on which we will also apply NAT policies over the VPN IPsec s2s VPN traffic).
You want to mask the subnet behind Vyatta.
Clients behind Vyatta need to access a few servers located on the remote site, and the clients located on the remote site need to access a few servers located behind Vyatta.

Thus we will hide the local subnet 192.168.40.0/24 as 192.168.210.0/24, local clients (192.168.40.100-192.168.40.200) being masked as 192.168.210.192/29 and local servers(192.168.40.10 and 192.168.40.11) as 192.168.210.10 and 192.168.210.11(we have assumed we have two servers behind Vyatta that need to be accessed the clients located on the remote site).
We used a pool of IP addresses to mask the local clients, but we could have just used a single IP address to do that.
Please note that none of Vyatta's physical interfaces has an IP address from the 192.168.210.0/24 subnet as we don't really need that.

Read moreā€¦

Comments are closed