topic Site to Site VPN Double NAT Issue in General Topics

Site to Site VPN Double NAT Issue

Glicks — Mon, 24 Aug 2015 10:57:05 GMT

Hi,

We have a branch office connected via site to site vpn, plao alto firewalls at both locations.

Due to buiding works the office has been relocated to a shared building and we're having to use a third party's network connection. We've been provided with a public IP address which is then NAT to a 192.x.x.x address which they then route to our fw. We would like to reinstate the site to site vpn.

The fw at the new location has the external interface set on the private 192.x.x.x range. Phase 1 negotioation from our main site is failing as it detects the private address as an invalid peer as we have the public address configured as the remote peer on the IKE Gateway.

Is there a way around this?

Thanks in advance.

Re: Site to Site VPN Double NAT Issue

santonic — Mon, 24 Aug 2015 11:07:17 GMT

Yes. You can use different IP address for transport and for phase 1 identification. Put the public IP address on IKE gateway as "Peer IP Address" and private IP address under "Peer Identification -> IP address".

Re: Site to Site VPN Double NAT Issue

pankaku — Mon, 24 Aug 2015 12:26:54 GMT

Firstly turn on the NAT travesal Network> IKE gateway> Advance options> Enble NAT traversal.

Use Local identificaiton and remote identification on both firewall. In these fields you can select IP address configured on the interface.

PA1(Public) PA2 (private)

The firewall which have public IP address PA1 set the peer ip address under the IKE gateway as Public IP address of the other firewall. Initiate the tunnel negotiation from PA2

Use these command:

test vpn ike-sa

test vpn ipsec-sa

Let us know if it helps or not.