In certain scenarios when communicating via a VPN tunnel, it may be necessary to mask the local network behind a specific IP address. Consequently, only one VPN rule has to be created for just one IP address on the remote side and not for an entire network. A disadvantage is that resources behind the masked connection cannot be accessed from the other end. For this reason, masking is most suitable for branch offices that access resources at the headquarters.
This article describes how to set up source NAT for an existing IKEv2 connection on a Unified Firewall.
- Two LANCOM R&S®Unified Firewalls with LCOS FX as of version 10.7
- A configured and functional local network on each Unified Firewall
- A configured and functional Internet connection on each Unified Firewall
- A configured and functional IKEv2 connection on each Unified Firewall
- Web browser for configuring the two Unified Firewalls
The following browsers are supported:
- Google Chrome
- Mozilla Firefox
- An IKEv2 connection exists between the two Unified Firewalls (Office and Headquarters).
- The Unified Firewall at the headquarters has the IP address range 192.168.5.0/24.
- The Unified Firewall at the branch office has the IP address range 192.168.1.0/24.
- Communication from the office towards the headquarters over the IKEv2 connection should be masked behind the IP address 10.10.10.1.
1) Configuration steps at the branch office:
1.1) Connect to the web interface of the Unified Firewall at the branch office, go to the menu VPN → IPsec → Connections and, for the VPN connection to headquarters, click on the “pencil” icon to edit it.
1.2) Go to the Tunnels tab, delete the network entered under Local Networks and instead enter the IP address for masking the VPN connection in the direction of the Headquarters (using CIDR notation (Classless Inter Domain Routing), for example 10.10.10.1/32).
The subnet mask /32 is an alternative notation for 255.255.255.255 and represents a single IP address.
1.3) Switch to the Routing tab, activate the Route-based IPsec and click Save.
1.4) Change to the menu Network → Routing → Routing Tables and click on the “pencil” icon to edit the Table 254.
1.5) Click on the “+” icon to create a new route.
1.6) Modify the following parameters and then click OK:
- Interface: From the drop-down menu, select the VPN connection to the headquarters that is to be masked.
- Destination: Enter the destination network at the headquarters, to which the VPN connection is to connect (in this example the network 192.168.5.0/24).
1.7) Click on the Save button to store the route.
1.8) Click the create a network button to create the destination network locally at the headquarters. This is required for masking. Routing conflicts with the VPN network cannot occur.
1.9) Modify the following parameters and then click Create:
- Name: Enter a descriptive name for the destination network (in this example SNAT-Destination-Network).
- Interface: Use the drop-down menu to select the interface any.
- Network IP: Enter the IP address of the destination network in CIDR notation, in this example 192.168.5.0/24).
1.10) On the desktop, click the network object for the local network created in step 1.9 (in this example Production), select the connection tool and click the network object created in step 1.9 (in this example SNAT-Destination-Network).
1.11) Use the “+” icons to add the protocols required for communication (in this example ICMP).
Repeat steps 1.12 – 1.14 for each additional protocol.
1.12) For the protocol used, click the arrow under Action three times until it points to the right. Then under Options, click the None button.
1.13) For NAT, select the option Use Service Specific Settings, adjust the following parameters and click OK:
- NAT / Masquerading: Select the option left-to-right.
- NAT Source IP: Enter the IP address set in step 1.2 to be used for masking the protocols on the VPN connection (in this example the IP address 10.10.10.1).
1.14) Click on Create.
1.15) Finally, implement the changes by clicking Activate.
1.16) This concludes the configuration steps at the branch office.
2) Configuration steps at the headquarters:
In this configuration example, we assume that a Unified Firewall is also operated at the headquarters. The scenario can also be implemented with devices from a different manufacturer. In this case, the VPN rules and the routing need to be adjusted to the masking IP address. If necessary, please contact the respective manufacturer.
2.1) Connect to the web interface of the Unified Firewall at the headquarters, go to the menu VPN → IPsec → Connections and, for the VPN connection to the branch office, click on the “pencil” icon to edit it.
2.2) Go to the Tunnels tab and, under Remote Networks, enter the IP address set in step 1.2 in CIDR notation, behind which the VPN connection is to be masked (in this example 10.10.10.1/32).
Then click on Save.
2.3) This concludes the configuration steps at the headquarters.
3) Restart the VPN connection:
The VPN connection must be restarted for the adjusted VPN-connection parameters to come into effect.
Connect to the Unified Firewall at the branch office or headquarters, switch to the menu VPN → IPsec → Connections, and click on the “circular arrow” icon for the corresponding VPN connection.