Help on VPN/NAT setup

Hodders · 14 May 2008 at 12:46

I am trying to connect our office to a client's backend system so that we can access their systems to do 'stuff'.

They have passed my a set of IPsec details which I am happy with but the one requirement they have is that our PCs accessing their systems are natted behind a specified IP address.

So in essence they want traffic to do this:

Lan (192.168.2.0/24)<-> NATed to (193.24.50.90/32) <-> IPSec endpoint <-> Internet <-> IPsec endpoint <-> Their LAN <-> Their server

The issue is that the router we are using (Netgear DGFV338) will handle the IPsec stuff but will not NAT the ipsec traffic. So all we can do is:

Lan (192.168.2.0/24) <-> IPSec endpoint <-> Internet <-> IPsec endpoint <-> Their LAN <-> Their server

They are using the 192.168.2.0/24 subnet so we can't do this any other way.

The only thing I can think of doing is to put another router in front of the main one so:

LAN (192.168.2.0/24) <-> (192.168.2.1) Netgear 1 (193.24.50.90) <-> (193.23.50.91) Netgear 2 <-> Internet

But my concern is that traffic to our other office (192.168.0.0/24) which also goes over an IPsec vpn will be messed up by this.

Anybody here have any bright ideas ?

TrX · 14 May 2008 at 15:25

IMO you need something more customizable than a home router to do this nicely.

A linux box for example would allow you to o do all of this, and decide which traffic you want routing to where, and addressed how you want it.
You could either use the linux box to replace the router altogether (Maybe an adsl card adsl/ethernet bridge would be required) or even just add a static route for the remote VPN IP range to go via gateway (ip of linux box) which then NAT's this traffic and sends it to the router, getting the return traffic back however may be a problem.

I am guessing you are a small office, what kindof budget are you looking?

unless the IPSec side of the router allows you to have a seperate nat/masquerade onto that interface, you need another router. I cannot see how dasychaining routers will help without screwing up either the local or remote links.

//TrX

oddjob62 · 14 May 2008 at 16:30

TrX said:
IMO you need something more customizable than a home router to do this nicely.

Agreed... although i would use somethign like a Juniper SSG, or a Cisco Pix myself.

TrX · 14 May 2008 at 17:04

oddjob62 said:
Agreed... although i would use somethign like a Juniper SSG, or a Cisco Pix myself.

Lol same if i could afford, but I am guessing a low budget here

//TrX

Hodders · 14 May 2008 at 17:22

The budget is not necessarily a huge problem as long as the equipment is going to work.

The main office has an advanced smoothwall running on a Dell 1U server so we may need to duplicate that setup in the office that needs to VPN out to the client site.

I hate cisco as they are worse for licencing than microsoft. "You want some more users behind your Pix, oh, you'll need our 'nat client licence' "- pah !

TrX · 14 May 2008 at 17:28

Sounds like *Nix appliances for networking are something you are already farmilliar with.

In this case, try a box with pfsense, excellent BSD routing distro with web frontend that supports multiple routes/multiple nat and IPsec should you choose to do it all in one.

//TrX

Hodders · 15 May 2008 at 00:36

I've used monowall as an embedded solution on a PCEngines WRAP board and it is great so pfsense (a fork) seemed like a good idea....

Except that a forum post here seems to imply you can't do it !

TrX · 15 May 2008 at 11:55

Damn, you appear to be right!

It will be possible... just not using the nice friendly interface. That's a shame! (TBH I didn't check, just assumed it would as you can route/tinker with everything else)

In that case if you are not looking for an actual vendor (cisco pix etc) implementation, maybe a linux box is the way to go? or see if m0n0wall will do it if you are happier with that (although if pfsense dosn't the chance m0n0wall will is slim)

There are people here that could help you will a linux install to do just this, but I guess you may be worried about supportability, which is a fair point.

//TrX

bigredshark · 15 May 2008 at 22:26

I'd seriously advise keeping clear of a linux box for this, especially for business, buying real hardware buys you support too. A cisco 1841 starts at about £400 and even with the ent services IOS probably only costs £900 or so (god knows, I have a CCO login so I can download whatever I fancy!), it will almost certainly be able to do what you need (i've only ever found one thing that was impossible with a single 1841 but it was a nasty setup using route maps and balancing between datastream connections...)