Add ability to NAT with IPsec VPN - Balance 305


#1

As confirmed by Peplink support, it is not currently possible to NAT IPsec traffic on VPN tunnels terminated on a Balance – sometimes also referred to as D-NAT or S-NAT. We must use another device to perform the NAT before routing to the Balance.

It would be a great benefit to add this NAT functionality to the Balance firmware – many site-to-site VPN tunnels interfacing with Juniper/Cisco equipment require all tunnel traffic to originate from a single IP address (aka. “proxy ID”).

Thank you
Aaron


#2

Hi Aaron,

Proxy ID is usually defined in the format of x.x.x.x/y which is actually a subnet and not a single IP address. Would you mind to share your Cisco config with us so we can have a check and see if we can help solving the problem?

Steve


#3

Hi Steve,

For this tunnel, our counterparty is requiring us to use a Proxy ID of A.B.C.D/32 for all vpn traffic. This Proxy ID is different than the tunnel endpoint/peer IP.

Here is an equivalent Cisco config:
access-list tunnel_acl permit ip A.B.C.D 255.255.255.255 10.10.76.0 255.255.255.0
access-list tunnel_acl permit ip A.B.C.D 255.255.255.255 10.10.127.214 255.255.255.255

access-list tunnel_nat permit ip 10.0.0.0 255.255.255.0 10.10.76.0 255.255.255.0
access-list tunnel_nat permit ip 10.0.0.0 255.255.255.0 10.10.127.214 255.255.255.255

global (outside) 7 A.B.C.D netmask 255.255.255.224
nat (inside) 7 access-list tunnel_nat

crypto map test 8 ipsec-isakmp
crypto map test 8 match address tunnel_acl
crypto map test 8 set peer W.X.Y.Z

And here is an equivalent LibreSwan/OpenSwan & IPtables config:
conn test
type=tunnel
pfs=no
ikelifetime=86400s
keylife=28800s
left=W.X.Y.Z
leftsubnets={10.10.76.0/24 10.10.127.214/32}
right=A.B.C.D
rightnexthop=A.B.C.1
rightsubnet=A.B.C.D/32

iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -d 10.10.76.0/24 -j SNAT --to-source A.B.C.D
iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -d 10.10.127.214/32 -j SNAT --to-source A.B.C.D

Thanks for any advice!
-Aaron


#4

Thanks Aaron, it’s clear now, this definitely make sense.

The main idea of this feature is NAT before the packets go into the IPsec tunnel, it can be translated to a single /32 IP address just like your example above, and we are also considering another use case to do a 1-to-1 NAT mapping, just like the iptables NETMAP extensions do, to help our IPsec users to avoid any network conflict.

I have queued this up on our development roadmap, I can’t give you an exact date of release, but we’ll definitely look into this. Stay tuned.


Add ability to NAT with IPsec VPN - Balance 305
#5

For further discussion, please go to the following thread in “Feature Requests” forum, thank you :slight_smile:
https://forum.peplink.com/threads/3477-Add-ability-to-NAT-with-IPsec-VPN-Balance-305


#6

Steve, any further update on this development request?

We have a need for it with 2 of our VPN counterparties.

Thank you!
-Aaron


#7

Hi Steve,

I have the same problem as Aaron. I need to go through the tunnel (IPsec VPN) with a specific IP.

Can you Help me?

Thanks

Roberto


#8

+1 to add this feature ASAP


#9

+1 to add this feature ASAP. This is requiring an additional device for the NAT and it would be much better if the Balance could handle this.


#10

Hello, have should we expect ability to NAT with IPsec VPN any time soon?


#11

This is currently under development, not in any 6.2.x releases though, but very likely it will be available in next major release, please stay tuned :slight_smile:


#12

Hi, we have just released firmware 6.3.0 beta and in this release we have introduced IPsec NAT Policy.

We are looking forward to your feedback, to try it out, please visit the following link for more information about the beta firmware:
https://forum.peplink.com/threads/5656-Firmware-6-3-Beta-is-Now-Available

After upgrading to firmware 6.3.0, you can enable IPsec NAT Policy by clicking the “here” link in the Local Networks help text:


A new section will then appear in Local Networks settings, in the upper part you can define the proposed networks (that the remote IPsec gateway will see, probably the virtual NAT network), and in the lower part you can define the NAT policy, Local Network is the real network that exist on the device (e.g. LAN, VLAN, or static routes), NAT Network is the translated virtual network that you need.


Some configuration examples have been given in the Local Networks help text, if there is anything not clear, please don’t hesitate to ask and we will clean it up and push them to the final 6.3.0 GA release. Thank you so much for your patience to wait for the feature and I hope this will fit your needs :slight_smile: