Help on VPN/NAT setup

[Hodders]

I am trying to connect our office to a client's backend system so that we can access their systems to do 'stuff'.

They have passed my a set of IPsec details which I am happy with but the one requirement they have is that our PCs accessing their systems are natted behind a specified IP address.

So in essence they want traffic to do this:

Lan (192.168.2.0/24)<-> NATed to (193.24.50.90/32) <-> IPSec endpoint <-> Internet <-> IPsec endpoint <-> Their LAN <-> Their server

The issue is that the router we are using (Netgear DGFV338) will handle the IPsec stuff but will not NAT the ipsec traffic. So all we can do is:

Lan (192.168.2.0/24) <-> IPSec endpoint <-> Internet <-> IPsec endpoint <-> Their LAN <-> Their server

They are using the 192.168.2.0/24 subnet so we can't do this any other way.

The only thing I can think of doing is to put another router in front of the main one so:

LAN (192.168.2.0/24) <-> (192.168.2.1) Netgear 1 (193.24.50.90) <-> (193.23.50.91) Netgear 2 <-> Internet

But my concern is that traffic to our other office (192.168.0.0/24) which also goes over an IPsec vpn will be messed up by this.

Anybody here have any bright ideas ?

 

[Hodders]

The budget is not necessarily a huge problem as long as the equipment is going to work.

The main office has an advanced smoothwall running on a Dell 1U server so we may need to duplicate that setup in the office that needs to VPN out to the client site.

I hate cisco as they are worse for licencing than microsoft. "You want some more users behind your Pix, oh, you'll need our 'nat client licence' "- pah !

 

[Hodders]

I've used monowall as an embedded solution on a PCEngines WRAP board and it is great so pfsense (a fork) seemed like a good idea....

Except that a forum post here seems to imply you can't do it !