Site to Site VPN Double NAT Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Site to Site VPN Double NAT Issue

L0 Member

Hi,

We have a branch office connected via site to site vpn, plao alto firewalls at both locations.

Due to buiding works the office has been relocated to a shared building and we're having to use a third party's network connection. We've been provided with a public IP address which is then NAT to a 192.x.x.x address which they then route to our fw. We would like to reinstate the site to site vpn.

The fw at the new location has the external interface set on the private 192.x.x.x range. Phase 1 negotioation from our main site is failing as it detects the private address as an invalid peer as we have the public address configured as the remote peer on the IKE Gateway.

Is there a way around this?

Thanks in advance.

2 REPLIES 2

L6 Presenter

Yes. You can use different IP address for transport and for phase 1 identification. Put the public IP address on  IKE gateway as "Peer IP Address" and private IP address under "Peer Identification -> IP address".

 

L5 Sessionator

Firstly turn on the NAT travesal Network> IKE gateway> Advance options> Enble NAT traversal.

 

Use Local identificaiton and remote identification on both firewall. In these fields you can select IP address configured on the interface.

 

PA1(Public) PA2 (private)

 

The firewall which have public IP address PA1 set the peer ip address under the IKE gateway as Public IP address of the other firewall. Initiate the tunnel negotiation from PA2

 

Use these command:

test vpn ike-sa

test vpn ipsec-sa

 

Let us know if it helps or not.

  • 3961 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!