How do I route a public IP range over an IPSEC VPN?

vpn nat ipsec sonicwall
9,220

Solution 1

To come back to an old question I posted:

The answer is... Get a new router!

I wasted far too much time on this... It turns out that MANY off the shelf routers, just can't cope. Sonicwall and Juniper are just a few that failed.

The problem is, you have to define your WAN and LAN, and IPSEC/VPN interfaces are attached to WAN, then, if there is a bit of crossover or you need a setup out of the ordinary, it just fails and can't route properly.

In the end, I found Vyatta and EdgeOS (fork from Vyatta) handle this setup brilliantly, you simply state which subnets to forward, which interface the tunnel should be on - and it just works as expected.

Solution 2

So, you just need to route requests to a certain range on the Internet via the tunnel? Can you add a static route for that range?

As a workaround, set up a proxy server at Site A and have machines at Site B use that for the certain sites.

Think simpler!

Solution 3

If I understand your question, you are trying to do this:

Server A - Router A - VPN - Router B - Site B

You need Site B to be able to access Server A (which is a public IP) over the VPN, but you need the source address to look like it is coming from Site A?

You'll need to specify traffic going to Server A to go over the VPN on Router B. On Router A, you'll need to specify the return traffic to go over the VPN. Next, on Router A, you'll need to configure the NAT rule, to change the SRC IP of the traffic coming from Site B and going to Server A to an IP address that Server A will accept.

Share:
9,220

Related videos on Youtube

William Hilsum
Author by

William Hilsum

Updated on September 18, 2022

Comments

  • William Hilsum
    William Hilsum almost 2 years

    So, I have an established IPSec Site to Site tunnel.

    Site A has a SonicWall, Site B has a EdgeRouter.

    The first tunnel consists of Site A's NATed ips to Site B's NATed ips.

    Everything works as expected.

    Next, I have a public IP range that Site B needs to access, but, requests need to look like they have come from Site A. When I set up this tunnel, I can just see traffic drop at the gateway.

    I can't access any of these ips. Due to the fact that it works fine in the same config for lan to lan, I believe it could be a NAT issue - but I am not certain, nor know how to diagnose further.

    This could be a red herring as I wasn't very confident... I have tried putting in "allow all" rules on VPN>WAN/WAN>VPN, then filter to an individual IP, then ping it from site B... I see dropped packets.

    Can anyone offer any advice here?

  • William Hilsum
    William Hilsum about 11 years
    Just to make sure we are on the same page... the public ip range is not actually located at Site A, What I need is similar to putting a vpn tunnel for the ip of "whatismyip.com", then going to that website from site b and it showing the address of site A, I believed it was a NAT rule, my problem is I have been trying all day to configure it and not having much luck... I really need a step-by-step guide for SonicWall as I believe I have tried pretty much everything (including what you said) without much luck.
  • William Hilsum
    William Hilsum about 11 years
    I have already thought about that :( I have tried setting a static route in Site B for the entire range and stuck the gateway of Site A as the next hop... However, I think there is still the issue of NAT when the requests have to leave Site A to the network... I don't think it is being applied by the SonicWall, so, the packets get dropped :(
  • Kasia
    Kasia about 11 years
    if you just modify the SRC IP from site B hosts, to Site A IP, the return traffic from the Public IP Range will go to Site A and be dropped. As Site A won't be expecting traffic from the Website. I don't know Sonicwall very much, but the idea I said in my reply will still stand. You'll need to send Site B traffic destined for Public IP Range over the VPN and NAT the SRC IP on Router A. When the return traffic comes back, it will be UNNAT'd, sent over the VPN, and then sent to its dst.
  • Steve Townsend
    Steve Townsend about 11 years
    Proxy server! Do eeeeet!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

strongSwan setup where both sides are behind NAT
How do you implement NAT-T passthrough on a Juniper SRX series Firewall?
how do I connect to a VPN with ipsec?
VPN between Ubuntu server (14.04.1 LTS ) AND Cisco ASA 5510
L2TP IPsec VPN client on Ubuntu Desktop 16.04
Unable to connect L2TP IPSec VPN from ubuntu 16.04
L2TP / IPSec failing to connect (Kubuntu 17.10)
VPN L2TP/IPSec client on Ubuntu 16.04 VPN service failed to start
Where to add the Pre-Shared Key for the Server Authentication with Network Manager for L2TP/IPSEC?
Set up VPN server on a DD-WRT router behind NAT