S2S VPN configuration between 2 devices behind NAT
Usually I configure it like this S2SVPN Then both ends need static IP.
But some models are actually 2 devices behind the NAT GW:
Both NAT overload and NAT static can configure VPN. Among them static NAT is easier => Here I demonstrate NAT overload.
The example below is that R1 needs to establish a VPN with R4, but is NATed through R2 and R3.
Configuration steps:
– R1, R4: Indicates that the peer is the remote wan public network IP
– R2 and R3 (NAT GW) only need to declare nat overload and forward ports 500 and 4500 to establish VPN
Configuration:
R2:
Interface Ethernet 0/0
IP address 10.1.2.2 255.255.255.0
inside ip nat
Exit. Exit
Interface Ethernet 0/1
IP address 10.2.3.2 255.255.255.0
External IP address
Exit. Exit
ip route 0.0.0.0 0.0.0.0 10.2.3.3
!
Access list 1 permission 10.1.2.0 0.0.0.255
ip nat inside source list 1 interface Ethernet0/1 overloaded
!
ip nat internal source static udp 10.1.2.1 500 10.2.3.2 500 ##Forward to R1
ip nat internal source static udp 10.1.2.1 4500 10.2.3.2 4500 ##Forward to R1
R3:
Interface Ethernet 0/0
IP address 10.2.3.3 255.255.255.0
External IP address
Exit. Exit
Interface Ethernet 0/1
IP address 10.3.4.3 255.255.255.0
inside ip nat
Exit. Exit
!
ip route 0.0.0.0 0.0.0.0 10.2.3.2
!
Access list 1 permission 10.3.4.0 0.0.0.255
ip nat inside source list 1 interface Ethernet0/0 overloaded
!
ip nat internal source static udp 10.3.4.4 500 10.2.3.3 500 ##Forward about R4
ip nat internal source static udp 10.3.4.4 4500 10.2.3.3 4500 ##Forward about R4
R1:
Encrypted ipsec nat transparent udp encapsulation ## UDP encapsulation of VPN packets 500 and 4500
!
encryption isakmp policy 1
Encryption aes 256
Certified pre-shared
Group 5
Encryption isakmp key 123456 address 10.2.3.3
!
Encrypted ipsec transform set MY_TRANSFORM_SET esp-aes 256 esp-sha-hmac
!
Cryptomap MY_CRYPTO_MAP 10 ipsec-isakmp
Set peer 10.2.3.3##R3’s public IP, and then forward it to R4
Set transformation set MY_TRANSFORM_SET
Match address 100
!
Access list 100 allows ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
Interface Ethernet 0/1
IP address 10.1.2.1 255.255.255.0
Cryptomap MY_CRYPTO_MAP
=================
R4:
Encrypted ipsec nat transparent udp encapsulation ## UDP encapsulation of VPN packets 500 and 4500
!
encryption isakmp policy 1
Encryption aes 256
Certified pre-shared
Group 5
Encryption isakmp key 123456 address 10.2.3.2
!
Encrypted ipsec transform set MY_TRANSFORM_SET esp-aes 256 esp-sha-hmac
!
Cryptomap MY_CRYPTO_MAP 10 ipsec-isakmp
Set peer 10.2.3.2 ##R2’s public IP, and then forward it to R1
Set transformation set MY_TRANSFORM_SET
Match address 100
!
Interface Ethernet 0/1
IP address 10.3.4.4 255.255.255.0
Cryptomap MY_CRYPTO_MAP
!
Access list 100 allows ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ip route 0.0.0.0 0.0.0.0 10.3.4.3
This is a form of implementation NAT traversal, indicating that the connection is established through a NAT environment. Above we state:
– Pack UDP 500 and 4500 at R1, R4 using the following commands: Encrypted ipsec nat transparent udp encapsulation (Cisco routers have this command by default)
– Declare UDP port forwarding on R2 and R3 so that data packets pass through the NAT GW to reach the device that requires VPN
Verify:
Ping test: between 2 VPCs on both sides, capture wireshark
Xem tiếp...