Configuring NAT over a Site-to-Site IPsec VPN connection

Introduction

How to configure NAT over an IPsec VPN to differentiate between local subnets behind each XG Firewall when the local subnets overlap.

The following sections are covered:

  • Configure XG Firewall 1.
  • Configure XG Firewall 2.
  • Establishing the IPsec connection.
  • Confirm traffic flow.
  • Additional information.

All configuration details are based on the network in the diagram shown below.


Site-to-site IPsec NAT network diagram

Configure XG Firewall 1

Configure the first XG Firewall to NAT traffic over the site to site connection.

  1. Go to Hosts and services > IP host and select Add and create the local LAN.

    Local LAN IP host configuration XG one
  2. Go to Hosts and services > IP host and select Add and create the local NATed LAN.

    Local natted LAN IP host configuration XG one
  3. Go to Hosts and services > IP host and select Add and create the remote NATed LAN.

    Remote natted LAN IP host configuration XG one
  4. Go to VPN > IPsec connections and select Add.
  5. Configure the IPsec connection using the parameters below:

    XG one IPsec configuration
  6. Click Save.
  7. Click the status indicator (Inactive indicator) to activate the connection.

    XG one activate IPsec connection
  8. Go to Rules and policies > Firewall rules and click Add firewall rule.
  9. Create two rules, as shown below:

    One rule to allow inbound traffic.


    Inbound firewall rule XG one

    One rule to allow outbound traffic.


    Outbound firewall rule XG one
    Note Make sure that VPN firewall rules are at the top of the firewall rule list.

Configure XG Firewall 2

Configure the second XG Firewall to NAT traffic over the site to site connection.

  1. Go to Hosts and services > IP host and select Add and create the local LAN.

    Local LAN IP host configuration XG two
  2. Go to Hosts and services > IP host and select Add and create the local NATed LAN.

    Local natted LAN IP host configuration XG two
  3. Go to Hosts and services > IP host and select Add and create the remote NATed LAN.

    Remote natted LAN IP host configuration XG two
  4. Go to VPN > IPsec connections and select Add.
  5. Configure the IPsec connection using the parameters below:

    XG two IPsec configuration
  6. Click Save.
  7. Click the status indicator (Inactive indicator) to activate the connection.

    XG two activate IPsec connection
  8. Go to Rules and policies > Firewall rules and click Add firewall rule.
  9. Create two rules, as shown below:

    One rule to allow inbound traffic.


    Inbound firewall rule XG two

    One rule to allow outbound traffic.


    Outbound firewall rule XG two
    Note Make sure that VPN firewall rules are at the top of the firewall rule list.

Establish the IPsec connection

Once both XG Firewall devices at the head and branch offices are configured, you must establish the IPsec connection.

  1. Go to VPN > IPsec connections.
  2. Click the status indicator (Inactive indicator) to activate the connection.

    Active IPsec connection
    The connection indicator turns green when the connection is established.

    IPsec connection established

Confirm traffic flow

  1. Generate some traffic that goes across the VPN connection.
  2. Go to Rules and policies > Firewall rules.
  3. Confirm the firewall rules created earlier are allowing traffic flow in both directions.

    Confirm firewall rules allow traffic
  4. Go to Reports > VPN and confirm IPsec usage.

    IPsec report traffic
  5. Click on the connection name to show further details.

    IPsec report connection details

Additional information

In a head and branch office configuration, the XG Firewall at the branch office usually acts as the tunnel initiator and the XG Firewall at the head office as a responder due to the following reasons:

  • When the branch office device is configured with a dynamic IP address, the head office device cannot initiate the connection.
  • As the branch offices number vary, we recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.

The example scenario in this guide shows a 1:1 NAT. Depending on the network requirements, it is also possible to configure a 1:n NAT (SNAT) or a full NAT.