Description:

In some cases, two sites may be using the same IP address range. To enable VPN communications between these sites, communication via the VPN tunnel must be masked behind a different IP address range. This is implemented on a Unified Firewall with the help of NETMAP. In contrast to source NAT, both sides can access resources in the other target network.

This article describes how to set up NETMAP masquerading for a VPN connection between two Unified Firewalls.

Note that communication with one of the masked networks via the VPN connection can only address the masked IP address.

Furthermore, masking via NETMAP only works with a network of the same size, so the subnet mask must be the same.



Requirements:

  • Two or three LANCOM R&S®Unified Firewalls with LCOS FX as of version 10.7 
  • Configured and functional IKEv2 connections at the headquarters and the branch office 1 (scenario 2 only)
  • Configured and functional local networks on all Unified Firewalls
  • A configured and functional Internet connection on all Unified Firewalls
  • Web browser for configuring the two Unified Firewalls

    The following browsers are supported:
    • Google Chrome
    • Chromium
    • Mozilla Firefox


Scenario 1: Two locations with the same IP address range are to communicate via an IKEv2 connection

  • An IKEv2 connection is to be set up between two Unified Firewalls (branch office and headquarters).
  • Both the Unified Firewall at the branch office and the Unified Firewall at the headquarters use the same IP address range 192.168.1.0/24.
  • For communication between the two Unified Firewalls, NETMAP masks the packets sent via the IKEv2 connection behind a different IP address range that has not yet been used.
    • The Unified Firewall at the Headquarters masks its local network behind the address range 192.168.10.0/24.
    • The Unified Firewall at the Branch office masquerades its local network behind the address range 192.168.20.0/24.


Scenario 2: Two external sites with the same IP address range are to communicate via an IKEv2 connection

  • An IKEv2 connection has already been set up between two Unified Firewalls (Branch office 1 and Headquarters).
  • The Unified Firewall at the Headquarters has the IP address range 192.168.1.0/24.
  • The Unified Firewall at the Branch office 1 has the IP address range 192.168.2.0/24.
  • A further Unified Firewall is located at Branch office 2. This also has the IP address range 192.168.2.0/24.
  • Now the Unified Firewall at Branch office 2 is to be connected via IKEv2 with the Headquarters. Also, communications should be possible between Branch office 1 and Branch office 2
  • To enable communication between Branch office 1 and Branch office 2, outgoing packets from the two branches via the IKEv2 connection must each be masked by NETMAP behind a different IP address range that is not yet in use.
    • The Unified Firewall at the Branch office 1 masquerades its local network behind the address range 192.168.10.0/24.
    • The Unified Firewall at the Branch office 2 masquerades its local network behind the address range 192.168.20.0/24.


Procedure:

Scenario 1: Two locations with the same IP address range are to communicate via an IKEv2 connection

1) Configuration steps at the headquarters:

1.1) Setting up the IKEv2 connection on the Unified Firewall at the Headquarters:

1.1.1) Set up the IKEv2 connection at the Headquarters using one of the following Knowledge Base articles:

1.1.2) When configuring the VPN connection, go to the Tunnels tab and adjust the Local Networks and Remote Networks as follows:

  • Local networks: Enter the translated network address of the productive network in CIDR notation (Classless Inter-Domain Routing), in this example 192.168.10.0/24.
  • Remote Networks: Enter the translated IP-address range at the branch office in CIDR notation, in this example 192.168.20.0/24.

The IP address ranges used for masking must not be used elsewhere and must not overlap.

1.1.3) Switch to the Routing tab, activate the Route-based IPsec and click Save.

1.1.4) Change to the menu Network → Routing → Routing Tables and, in Table 254, click on the “pencil” icon to edit the routing table.

1.1.5) Click on the “+” icon to create a routing entry.

1.1.6) Modify the following parameters and click OK:

  • Interface: From the drop-down menu, select the VPN connection to the branch office (in this example VPN-Office).
  • Destination: Enter the translated address range at the branch office in CIDR notation, in this example 192.168.20.0/24.

1.1.7) Click Save to accept the routing entry.


1.2) Setting up the masking on the Unified Firewall at the Headquarters:

1.2.1) On the desktop, click the network object at the Headquarters (in this example Production-Headquarter), select the connection tool and click the VPN object (in this example VPN-Office).

NETMAP works exclusively with a VPN network but not with a VPN host

1.2.2) Switch to the NAT tab, adjust the following parameters and click Save:

  • NAT / Masquerading: Select the option left-to-right.
  • NAT Source IP: Using CIDR notation, enter the translated IP-address range at the Headquarters as specified in step 1.1.2, in this example 192.168.10.0/24. This is the address for masking the outbound traffic.
  • Set a checkmark next to Enable DNAT.
  • External IP address: Using CIDR notation, enter the translated IP-address range at the Headquarters as specified in step 1.1.2, in this example 192.168.10.0/24. This is the address for masking the inbound traffic.

With N:N mapping, the masking is done in two parts. The outbound data traffic is masked using source NAT and the inbound data traffic is masked using destination NAT.

1.2.3) Finally, implement the changes by clicking Activate.

1.2.4) This concludes the configuration steps on the Unified Firewall at the Headquarters.



2) Configuration steps at the branch office:

2.1) Setting up the IKEv2 connection on the Unified Firewall at the Branch office:

2.1.1) Set up the IKEv2 connection at the Branch office using one of the following Knowledge Base articles:

2.1.2) When configuring the VPN connection, go to the Tunnels tab and adjust the Local Networks and Remote Networks as follows:

  • Local networks: Enter the translated IP-address range at the branch office in CIDR notation, in this example 192.168.20.0/24.
  • Remote Networks: Enter the translated IP-address range at the Headquarters in CIDR notation, in this example 192.168.10.0/24.

The IP address ranges used for masking must not be used elsewhere and must not overlap.

2.1.3) Switch to the Routing tab, activate the Route-based IPsec and click Save.

2.1.4) Change to the menu Network → Routing → Routing Tables and, in Table 254, click on the “pencil” icon to edit the routing table.

2.1.5) Click on the “+” icon to create a routing entry.

2.1.6) Modify the following parameters and click OK:

  • Interface: From the drop-down menu, select the VPN connection to the headquarters (in this example VPN-Headquarter).
  • Destination: Enter the translated network at the Headquarters in CIDR notation, in this example 192.168.10.0/24.

2.1.7) Click Save to accept the routing entry.


2.2) Setting up the masking on the Unified Firewall at the branch office:

2.2.1) On the desktop, click the network object used at the branch office (in this example Production-Office), select the connection tool and click the VPN object (in this example VPN-Headquarter).

NETMAP works exclusively with a VPN network but not with a VPN host

2.2.2) Switch to the NAT tab, adjust the following parameters and click Save:

  • NAT / Masquerading: Select the option left-to-right.
  • NAT Source IP: Using CIDR notation, enter the translated IP-address range at the branch office as specified in step 2.1.2, in this example 192.168.20.0/24. This is the address for masking the outbound traffic.
  • Set a checkmark next to Enable DNAT.
  • External IP addressUsing CIDR notation, enter the translated IP-address range at the branch office as specified in step 2.1.2, in this example 192.168.20.0/24. This is the address for masking the inbound traffic.

With N:N mapping, the masking is done in two parts. The outbound data traffic is masked using source NAT and the inbound data traffic is masked using destination NAT.

2.2.3) Finally, implement the changes by clicking Activate.

2.2.4) This concludes the configuration steps on the Unified Firewall at the branch office.



3) Restart the VPN connection:

The VPN connection must be restarted for the adjusted VPN-connection parameters to come into effect.

Connect to the Unified Firewall at the branch office or headquarters, switch to the menu VPN → IPsec → Connections, and click on the “circular arrow” icon for the corresponding VPN connection. 




Scenario 2: Two external sites with the same IP address range are to communicate via an IKEv2 connection

1) Configuration steps at the headquarters:

1.1) Setting up the IKEv2 connection to branch office 2:

1.1.1) On the Unified Firewall at the Headquarters, set up the IKEv2 connection to Branch office 2 using one of the following Knowledge Base articles:

1.1.2) When configuring the VPN connection, go to the Tunnels tab and adjust the Local Networks and Remote Networks as follows:

  • Local networks: Enter the local IP-address range at the Headquarters in CIDR notation, in this example 192.168.1.0/24
  • Remote Networks: Enter the translated IP-address range at the branch office 2 in CIDR notation, in this example 192.168.20.0/24.


1.2) Modifying the VPN connection to branch office 1:

1.2.1) Switch to the menu VPN → IPsec → Connections and, for the VPN connection to branch office 1, click the “pencil” icon to modify the connection.

1.2.2) Switch to the Tunnels tab, adjust the following parameters and click Save:

  • Remote Networks: Enter the translated IP-address range at branch office 1 in CIDR notation, in this example 192.168.10.0/24.



2) Configuration steps at branch office 1:

2.1) Modifying the VPN networks in Branch office 1:

2.1.1) Connect to the web interface of the Unified Firewall at branch office 1, go to the menu VPN → IPsec → Connections and, for the VPN connection to the headquarters, click on the “pencil” icon to edit it.

2.1.1) Change to the Tunnels tab and modify the following parameters:

  • Local networks: Replace the current local network with the translated IP-address range at branch office 1 in CIDR notation, in this example 192.168.10.0/24.
  • Remote Networks: In addition to the existing network at the headquarters, enter the translated IP-address range at the branch office 2 in CIDR notation, in this example 192.168.20.0/24.

The IP address ranges used for masking must not be used elsewhere and must not overlap.

2.1.3) Switch to the Routing tab, activate the Route-based IPsec and click Save.

2.1.4) Change to the menu Network → Routing → Routing Tables and, in Table 254, click on the “pencil” icon to edit the routing table.

2.1. 5) Click on the “+” icon to create a routing entry.

2.1.6) Modify the following parameters and click OK:

  • Interface: From the drop-down menu, select the VPN connection to the headquarters (in this example VPN-Headquarter).
  • Destination: Enter the network at the Headquarters in CIDR notation, in this example 192.168.1.0/24.

2.1.7) Create a new routing entry, adjust the following parameters and click OK:

  • Interface: From the drop-down menu, select the VPN connection to the headquarters (in this example VPN-Headquarter).
  • Destination: Enter the translated network at branch office 2 in CIDR notation, in this example 192.168.20.0/24.

2.1.8) Click Save to accept the routing entry.


2.2) Setting up the masking on the Unified Firewall at branch office 1:

2.2.1) On the desktop of the Unified Firewall, click the network object at branch office 1 (in this example INTRANET-Office1), select the connection tool and click the VPN object (in this example VPN-Headquarter).

NETMAP works exclusively with a VPN network but not with a VPN host

2.2.2) Switch to the NAT tab, adjust the following parameters and click Save:

  • NAT / Masquerading: Select the option left-to-right.
  • NAT Source IP: Using CIDR notation, enter the translated IP-address range at branch office 1 as specified in step 2.1.2, in this example 192.168.10.0/24. This is the address for masking the outbound traffic.
  • Set a checkmark next to Enable DNAT.
  • External IP addressUsing CIDR notation, enter the translated IP-address range at branch office 1 as specified in step 2.1.2, in this example 192.168.10.0/24. This is the address for masking the inbound traffic.

With N:N mapping, the masking is done in two parts. The outbound data traffic is masked using source NAT and the inbound data traffic is masked using destination NAT.

2.2.3) Finally, implement the changes by clicking Activate.

2.2.4) This concludes the configuration steps on the Unified Firewall at branch office 1.



3) Configuration steps at branch office 2:

3.1) Setting up the IKEv2 connection on the Unified Firewall at branch office 2:

3.1.1) Set up the IKEv2 connection on the Unified Firewall at Branch office 2 using one of the following Knowledge Base articles:

3.1.2) When configuring the VPN connection, go to the Tunnels tab and adjust the Local Networks and Remote Networks as follows:

  • Local networks: Enter the translated IP-address range at the branch office 2 in CIDR notation, in this example 192.168.20.0/24.
  • Remote Networks: Along with the local network at the headquarters (in this example 192.168.1.0/24), additionally enter the translated IP-address range at branch office 1 in CIDR notation, in this example 192.168.10.0/24.

The IP address ranges used for masking must not be used elsewhere and must not overlap.

3.1.3) Switch to the Routing tab, activate the Route-based IPsec and click Save.

3.1.4) Change to the menu Network → Routing → Routing Tables and, in Table 254, click on the “pencil” icon to edit the routing table.

3.1.5) Click on the “+” icon to create a routing entry.

3.1.6) Modify the following parameters and click OK:

  • Interface: From the drop-down menu, select the VPN connection to the headquarters (in this example VPN-Headquarter).
  • Destination: Enter the network at the Headquarters in CIDR notation, in this example 192.168.1.0/24.

3.1.7) Create a new routing entry, adjust the following parameters and click OK:

  • Interface: From the drop-down menu, select the VPN connection to the headquarters (in this example VPN-Headquarter).
  • Destination: Enter the translated network at branch office 1 in CIDR notation, in this example 192.168.10.0/24.

3.1.8) Click Save to accept the routing entry.


3.2) Setting up the masking on the Unified Firewall at branch office 2:

3.2.1) On the desktop of the Unified Firewall, click the network object used at branch office 2 (in this example INTRANET-Office2), select the connection tool and click the VPN object (in this example VPN-Headquarter).

NETMAP works exclusively with a VPN network but not with a VPN host

3.2.2) Switch to the NAT tab, adjust the following parameters and click Save:

  • NAT / Masquerading: Select the option left-to-right.
  • NAT Source IP: Enter the translated IP-address range at the branch office 2 in CIDR notation, in this example 192.168.20.0/24. This is the address for masking the outbound traffic.
  • Set a checkmark next to Enable DNAT.
  • External IP addressUsing CIDR notation, enter the translated IP-address range at branch office 2 as specified in step 3.1.2, in this example 192.168.20.0/24. This is the address for masking the inbound traffic.

With N:N mapping, the masking is done in two parts. The outbound data traffic is masked using source NAT and the inbound data traffic is masked using destination NAT.

3.2.3) Finally, implement the changes by clicking Activate.

3.2.4) This concludes the configuration steps on the Unified Firewall at branch office 2.



4) Restart the VPN connection:

The VPN connections must be restarted for the adjusted parameters to take effect.

Connect to the Unified Firewall at one of the branch offices or headquarters, switch to the menu VPN → IPsec → Connections, and click on the “circular arrow” icon for the corresponding VPN connection. Do this for both VPN connections (Headquarters – Branch office 1 and Headquarters – Branch office 2).