How To Apply NAT over Site-to-Site VPN

connection How To Apply NAT over Site-to-Site VPN connection

Applicable Version: 10.00 onwards

Scenario
Consider the following network wherein both the Head Office (HO) LAN and the Branch Office (BO)
LAN have the same internal IP schema.

Network Parameters
Local Server (WAN IP address) 192.168.20.105
HO Network details Local LAN address 172.16.16.0/24
Local NATted Address 172.16.15.0/24
VPN server (WAN IP address) 192.168.20.191
BO Network details LAN Network 172.16.16.0/24
NATted Address 172.16.17.0/24

As a result, the VPN endpoints fail to differentiate between own network and remote network. Any
request initiated from HO destined for BO would be served within HO itself and vice versa. For
example, a host from HO initiates a request to host 172.16.16.10 in BO, but it is responded by Host
172.16.16.10 in the HO itself because the endpoint cannot differentiate between HO LAN and BO
LAN.

As a solution to this, Cyberoam provides NATting over VPN which allows Cyberoam to assign Dummy
LAN IP address (NATted LAN) to differentiate between LANs at both ends. This article describes how
you can configure an IPSec Connection using NATted LANs.
 How To Apply NAT over Site-to-Site VPN connection

HO Configuration
The configuration is to be done from HO Cyberoam Web Admin Console using profile having read-
write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the
connection using the following parameters.

Parameter Description

Parameter Value Description

Name HO_to_BO Name to identify the IPSec Connection

Select Type of connection.
Available Options:
Connection Type Site to Site Remote Access
Site to Site
Host to Host
Policy DefaultHeadOffice Select policy to be used for connection
Select the action for the connection.
Available options:
Action on VPN Restart Respond Only Respond Only
Initiate
Disable
Authentication details
Select Authentication Type. Authentication of user
Authentication Type Preshared Key
depends on the connection type.
Preshared key should be the same as that configured
Preshared Key 123456789
in remote site.
Endpoints Details

Local PortB-192.168.20.105 Select local port which acts as end-point to the tunnel

Remote 192.168.20.191 Specify IP address of the remote endpoint.

Local Network Details

Select Local LAN Address. Add and Remove LAN
Local Subnet 172.16.15.0/24
Address using Add Button and Remove Button
 How To Apply NAT over Site-to-Site VPN connection

If NAT Local LAN is configured, select IP Host or

NATed LAN 172.16.16.0/24 Network Host from the available list. IP Host can also
be added by clicking on the Add IP Host link.
Remote Network Details
Select Remote LAN Address. Add and Remove LAN
Remote LAN Network 17.16.17.0/24
Address using Add Button and Remove Button

Click OK to create IPSec connection.

 How To Apply NAT over Site-to-Site VPN connection

Step 2: Activate Connection

On clicking OK, the following screen is displayed showing the connection created above.

Click under Status (Active) to activate the connection.

BO Configuration
The configuration is to be done from BO Cyberoam Web Admin Console using profile having read-
write administrative rights for relevant feature(s).

Step 1: Create IPSec Connection

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the
connection using the following parameters.
 How To Apply NAT over Site-to-Site VPN connection

Parameter Description

Parameter Value Description

Name BO_to_HO Name to identify the IPSec Connection
Select Type of connection.
Available Options:
Connection Type Site to Site Remote Access
Site to Site
Host to Host
Policy DefaultBranchOffice Select policy to be used for connection
Select the action for the connection.
Available options:
Action on VPN
Initiate Respond Only
Restart
Initiate
Disable
Authentication details
Select Authentication Type. Authentication of user
Authentication Type Preshared Key
depends on the connection type.
Preshared key should be the same as that configured
Preshared Key 123456789
in remote site.
Endpoints Details
Local PortB-192.168.20.191 Select local port which acts as end-point to the tunnel
Remote 192.168.20.105 Specify IP address of the remote endpoint.
Local Network Details
Select Local LAN Address. Add and Remove LAN
Local Subnet 172.16.17.0/24
Address using Add Button and Remove Button
If NAT Local LAN is configured, select IP Host or
NATed LAN 172.16.16.0/24 Network Host from the available list. IP Host can also
be added by clicking on the Add IP Host link.
Remote Network Details
Select Remote LAN Address. Add and Remove LAN
Remote LAN Network 172.16.15.0/24
Address using Add Button and Remove Button
 How To Apply NAT over Site-to-Site VPN connection

Step 2: Activate and Establish Connection

On clicking OK, the following screen is displayed showing the connection created above.
 How To Apply NAT over Site-to-Site VPN connection

Click under Status (Active) and Status (Connection).

The above configuration establishes an IPSec connection between the HO and BO.

Note:

Make sure that Firewall Rules that allow LAN to VPN and VPN to LAN traffic are configured.

In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator
and Head Office acts as a responder due to following reasons:
Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to
initiate the connection.
As there can be many Branch Offices, to reduce the load on Head Office it is a good practice
that Branch Offices retries the connection instead of the Head Office retrying all the branch
office connections.

Document Version 1.3 11 July, 2014