topic Re: IPSec VPN with overlapping networks in General Topics

IPSec VPN with overlapping networks

Filip_Fronczak — Fri, 02 Nov 2018 17:49:00 GMT

To begin with I know the document Configuring IPSec VPN between overlapping networks.

Due to my lack of experience still I am not able to understand how I should create the NAT rules.

My objective is to configure the IPSec tunnel only on "my" side - one that will be accessed and should allow access to some servers in the 192.168.2.0/24 network.

Below I put some aqnonymised configuration info:

IKE Gateway

Parameter	Value
Version	IKEv1 only mode
Address type	IPv4
Local IP Address	a.b.c.99
Peer IP Address	x.y.z.255
Exchange mode	auto

IPSec Tunnel Proxy IDs

Parameter	Value
Local	10.0.2.0/24 (NAT 1:1 – original subnet 192.168.2.0/24 )
Remote	10.95.0.0/16

The overlapping network addresses are 192.168.2.0/24

I have to create a NAT rule to show them to the accessing partner as 10.0.2.0/24 network.

I would be grateful if someone could tell me how to create this NAT rule with static translation.

Thank You a LOT! 🙂

Re: IPSec VPN with overlapping networks

santonic — Fri, 02 Nov 2018 14:10:22 GMT

Let's say partners want to access server at 192.168.2.10. Chose an IP you will use for NAT, let's say it's 10.0.2.10 (though any from that network would do).

All you need is a static destination NAT: source 10.95.0.0/16, destination 10.0.2.10, Destination Address Translation 192.168.2.10 (with apropriate zones).

And also you will need a firewall rule to allow access with pre-NAT IP address and post-NAT destination zone.

Re: IPSec VPN with overlapping networks

Filip_Fronczak — Fri, 02 Nov 2018 14:23:37 GMT

I would like a rule that will translate any address in 192.168.2.0 into a coresponding address in 10.0.2.0 (192.168.2.1-->10.0.2.1, 192.168.2.2-->10.0.2.2 etc).

Can it bo done?

Re: IPSec VPN with overlapping networks

Remo — Fri, 02 Nov 2018 15:46:38 GMT

@Filip_Fronczak wrote:
I would like a rule that will translate any address in 192.168.2.0 into a coresponding address in 10.0.2.0 (192.168.2.1-->10.0.2.1, 192.168.2.2-->10.0.2.2 etc).
Can it bo done?

Yes, this is possible.

Destination address object: 192.168.2.0/24
Destination translation address object: 10.0.2.0/24

Re: IPSec VPN with overlapping networks

Filip_Fronczak — Fri, 02 Nov 2018 16:53:31 GMT

Is this enough or should there be something more?

Do I need on my side a NAT rule to translate the source too or a rule in the other direction?

Sorry for asking basic questions...

IPSecVPN_1
{
to [ LAN_Servers ]; from [ IPSec_xxx ]; source [ any ]; destination [ 192.168.2.0/24 ]; service any; disabled no; destination-translation
{
translated-address 10.0.2.0/24;
}
}

Re: IPSec VPN with overlapping networks

Remo — Fri, 02 Nov 2018 17:05:57 GMT

Ignore my last post ...

The NAT rule shoild look like this

Original source: 192.168.2.0/24
Original destination: 10.95.0.0/16
Type: Static IP
Translated source: 10.0.2.0/24
Translated destination: none

Re: IPSec VPN with overlapping networks

Filip_Fronczak — Fri, 02 Nov 2018 17:32:57 GMT

And what about the other way?

Traffic from the oher side that wants to arrive to servers in our network - 192.168.2.0/24?

Re: IPSec VPN with overlapping networks

Remo — Fri, 02 Nov 2018 17:55:01 GMT

Check the bi-directional checkbox

Re: IPSec VPN with overlapping networks

Filip_Fronczak — Fri, 02 Nov 2018 18:07:58 GMT

So, it's this, right?

IPSecVPN_xxx-1
{
to [ IPSec_xxx ]; from [ LAN_Servers ]; source [ 192.168.2.0/24 ]; destination [ 10.95.0.0/16 ]; source-translation
{
static-ip
{
bi-directional yes; translated-address 10.0.2.0/24;
}
}
}

Re: IPSec VPN with overlapping networks

Remo — Fri, 02 Nov 2018 18:14:40 GMT

Yes, looks correct.

Re: IPSec VPN with overlapping networks

Filip_Fronczak — Wed, 07 Nov 2018 14:59:42 GMT

Something is not right.

The phase-2 config on the connecting party is like this:

config vpn ipsec phase2-interface

edit "VPN"

set phase1name "VPN"

set proposal aes256-sha256

set dhgrp 14

set keylifeseconds 3600

set src-subnet 10.95.0.0 255.255.0.0

set dst-subnet 10.0.2.0 255.255.255.0

end

The tunnel is established but they are not able to ping servers on our side.

I do not see any traffic even in the "Session Browser".

Re: IPSec VPN with overlapping networks

santonic — Thu, 08 Nov 2018 06:53:50 GMT

Assuming you log everything; untill you don't see a packet arriving from their side it means they are not sending it correctly.

You can also try sending traffic towards them.

Re: IPSec VPN with overlapping networks

aleksandar.astardzhiev — Thu, 08 Nov 2018 11:19:59 GMT

Fist I would suggest you to disable the bi-directional for the source NAT and configure manually destination NAT. The main reason for that is - What does the Bi-directional NAT Feature Provide? My phisosofy is to enable bi-directional only for static NAT going to public. NATing for VPN could be little bit tricky. So I would suggest the following:

## Source NAT

IPSecVPN_xxx-1 {
  to [ IPSec_xxx ]; 
  from [ LAN_Servers ];  
  source [ 192.168.2.0/24 ]; 
  destination [ 10.95.0.0/16 ]; 
  source-translation {
    static-ip {
      bi-directional no; translated-address 10.0.2.0/24;
    }
  }
}

#### Destination NAT

IPSecVPN_xxx-2 {
 to [ Untrust ] 
 from [ IPSec_xxx] 
 source [ 10.95.0.0/16 ] 
 destination [ 10.0.2.0/24 ] 
 destination-translation {
    translated-address 192.168.2.0/24;
  }

Note: that the to zone in your destination NAT should be zone based on your routing table for 10.0.2.0/24. If you don't have route for such network, traffic will be routed with default route to outside (or your what ever default is related). if you have route matching this network (for example 10.0.0.0/8) you need to put the zone following this route)

Remember:

	• NAT rule must be configured with pre-NAT zones (zones matching the addresses before the NAT)
	• Security rule must be configured with pre-NAT addresses, but post-NAT zones

Having the bidirectional enabled should work indeed, so if the traffic is failing I would suggest:
- Check the rule on the Fortigate at the other end
- Check the routing on the Fortigate at the other end
- Check if encrypted packets are increasing on the Fortigate

- Check for decrypted packets on your end
- As per revious comment - check if you can send traffic
- Check the log to confirm the NAT is applied
- Check for encrypted packets at your end and decrypted packets at Forti end

Re: IPSec VPN with overlapping networks

Filip_Fronczak — Mon, 12 Nov 2018 20:57:16 GMT

I am still stuck here. There is not much I can check on the other side. They say that the traffic is entering the tunnel.

I do not see any traffic on my side.

In vRouter I have a static route for 10.95.0.0/16 directing it to the tunnel.

Should I have anything more there?

Re: IPSec VPN with overlapping networks

Raido_Rattameister — Mon, 12 Nov 2018 23:10:36 GMT

Go to Network > IPSec Tunnels

In Status column of the tunnel you have "Tunnel Info"

Click on it.

While they ping does Pkt Decap counter increase?

If yes then you are receiving packets.

Have you overrided last 2 intrazone-default and interzone-default rules to log?

If yes do you see any sessions in Monitor > Traffic ?

Re: IPSec VPN with overlapping networks

Filip_Fronczak — Tue, 13 Nov 2018 01:18:59 GMT

Pkt Decap and Bytes Decap have values, the restof columns are zeros.

I have not overridden the default rules.

Re: IPSec VPN with overlapping networks

Raido_Rattameister — Tue, 13 Nov 2018 03:09:31 GMT

Is vpn tunnel interface in dedicated vpn zone? If yes do you have security policy to allow traffic from vpn zone to internal zone?

If you have not overridden default policies at the end then no log will appear to Monitor > Traffic if this traffic does not match to any existing security policy.

I suggest to enable packet capture filter and choose ingress interface tunnel interface that you have configured for that vpn.

And then check global counters with command below. Run it few times. What is output? Any drops?

> show counter global filter delta yes packet-filter yes

Re: IPSec VPN with overlapping networks

santonic — Tue, 13 Nov 2018 14:25:19 GMT

I would definitelly first check logs (and make sure you log everything).

If you can't find packet in logs then i would say PA isn't doing proxy ARP for static NAT rules.

Re: IPSec VPN with overlapping networks

Filip_Fronczak — Tue, 20 Nov 2018 11:37:29 GMT

Below is the configuration that finally worked.

Static Route

NAT

Security rules

Re: IPSec VPN with overlapping networks

santonic — Wed, 21 Nov 2018 07:12:25 GMT

Did you try only static route and only adding inbound NAT rule seperately? I'm curious what really was the original cause of issues.