This walkthrough is for setup of an IPSec VPN using SNAT also knows as Virtual Address Mapping.
Overview
When creating a VPN tunnel between two or more sites with the same IP subnet, an IP conflict occurs. Because all sites are the same IP subnet scheme traffic will not pass through the tunnel. Setting up virtual NAT over the VPN is a good way to work around this conflict. Virtual NAT on a VPN tunnel makes your computers IP address appear as something different from the true IP address through the tunnel, this allows all networks involved route traffic properly through the VPN.
Supported Devices
ZyWALL USG 20
ZyWALL USG 20W
ZyWALL USG 50
ZyWALL USG 100
ZyWALL USG 100-PLUS
ZyWALL USG 200
ZyWALL USG 300
ZyWALL USG 1000
ZyWALL USG 2000
ZyWALL 110
ZyWALL 310
ZyWALL 1100
USG40
USG40W
USG60
USG60W
USG110
USG310
USG1100
USG1900
USG20-VPN
USG20W-VPN
USG2200-VPN
Main Office Setup
- First thing we need to do is add the address objects for the Branch Office LAN subnet and the Fake LAN. To create the address objects go to menu Configuration → Object → Address.
- Fake LAN Address Object
- Remote LAN Address Object
- Fake LAN Address Object
- Now that our address objects have been created we can start configuring the IPSec VPN policy/rule. To set the IPSec policy/rule go to Configuration → VPN → IPSec VPN and click the "VPN Gateway" tab to add Phase1 (IKE) portion of the VPN policy/rule.
- Click on the "Show Advance Settings" option on the top left.
- Enable the policy and provide a name for the rule.
- Under "Gateway Settings" select the WAN connection you want the router to use to establish the VPN connection with in My Address.
- For the Peer Gateway Address type in the public IP or Domain/DDNS name for the remote VPN router.
- Scroll down to "Authentication" and create a pre-shared key (8-64 characters).
- Set the "Phase 1 Settings" encryption, authentication and DH group algorithms you wish to use for the tunnel encryption.
- Click OK to save and apply and the changes.
- Once the "VPN Gateway" policy has been created, click on the "VPN Connection" tab to add Phase 2 (IPSec) portion of the VPN policy/rule.
- Click on the "Show Advance Settings" option on the top left.
- Enable the policy and provide a name for the rule.
- Under "VPN Gateway" select the appropriate VPN connection scenario and click on the "VPN Gateway" drop-down box to select the Phase 1 rule to use.
- Scroll down to "Policy" and for the local policy select the Fake_Subnet address object from the drop-down. For remote policy select the object created for the branch offices network, in this case REMOTE_SUBNET.
- Set the "Phase 2 Settings" encryption and authentication algorithms you wish to use for the tunnel encryption. You can enable PFS (Perfect Forward Secrecy) and set the DH group for extra added encryption
- Scroll down to "Inbound/Outbound traffic NAT" and enable the Source NAT option.
- For the "Source" drop-down, select the 'real' network IP scheme. For "Destination" select the branch offices real network IP scheme. For "SNAT" select the "Fake_Subnet" network scheme to use. This option will translate the 'real' network traffic to the "Fake_Subnet" when attempting to access the branch office.
- Scroll down to "Destination NAT" and enable the option.
- Click the Add button to inset an entry. Set the "Original IP" to the "Fake_Subnet" and the "Mapped IP" to the 'real' LAN subnet. This option will translate traffic coming from the branch office using the fake IP's back to real LAN IP's.
- Click OK to save and apply changes.
- After creating the VPN policy/rule a route needs to be created to have the ZyWALL push traffic destined for the branch office through the VPN tunnel. The VPN policy/rule will automatically create a route based on what is selected for the Policy (Local/Remote Policy), but, since the VPN policy was created to use a fake subnet the router will send real LAN traffic through the tunnel because it doesn't match what was specified for the Policy. To create the needed route go to Configuration → Network → Routing.
- Click the ADD button to add a Policy Route rule.
- Make sure the ENABLE checkbox is selected.
- For the rules "Criteria" set the Source Address field to use the real LAN, LAN1_SUBNET in this case. Set the Destination Address field to use the branch office address object, REMOTE_SUBNET.
- Scroll down to the "Next-Hop" option and set it for VPN Tunnel.
- A new drop-down will appear. Click on it and select the VPN policy/rule you want to send the traffic through.
- Click OK to save and apply changes.
Branch Office Setup
- First thing we need to do is add the address object for the Fake Office LAN subnet. To create the address objects go to menu Configuration → Object → Address.
- Main Office fake LAN Address Object
- Main Office fake LAN Address Object
- Now that the address object has been created we can start configuring the IPSec VPN policy/rule. To set the IPSec policy/rule go to Configuration → VPN → IPSec VPN and click the "VPN Gateway" tab to add Phase1 (IKE) portion of the VPN policy/rule.
- Click on the "Show Advance Settings" option on the top left.
- Enable the policy and provide a name for the rule.
- Under "Gateway Settings" select the WAN connection you want the router to use to establish the VPN connection with in My Address.
- For the Peer Gateway Address type in the public IP or Domain/DDNS name for the remote VPN router.
- Scroll down to "Authentication" and create a pre-shared key (8-64 characters).
- Set the "Phase 1 Settings" encryption, authentication and DH group algorithms you wish to use for the tunnel encryption.
- Click OK to save and apply and the changes.
- Once the "VPN Gateway" policy has been created, click on the "VPN Connection" tab to add Phase 2 (IPSec) portion of the VPN policy/rule.
- Click on the "Show Advance Settings" option on the top left.
- Enable the policy and provide a name for the rule.
- Enable the Nailed-Up option, this will keep the VPN connection alive.
- Under "VPN Gateway" select the appropriate VPN connection scenario and click on the "VPN Gateway" drop-down box to select the Phase 1 rule to use.
- Scroll down to "Policy" and for the local policy select the real network address object from the drop-down (LAN1_SUBNET). For remote policy select the object created for the main offices network, in this case MAIN_OFFICE.
- Set the "Phase 2 Settings" encryption and authentication algorithms you wish to use for the tunnel encryption. You can enable PFS (Perfect Forward Secrecy) and set the DH group for extra added encryption
Testing and Troubleshooting
How to check if the VPN tunnel is connected:
- There are two menus where you can check whether the tunnel is connected of not. You can check the IPSec VPN monitor under the MONITOR menu or you can check in the VPN menu under CONFIGURATION.
The Monitor menu (Monitor → VPN Monitor → IPSec) will show all live tunnels.
In the VPN Configuration menu (Configuration → VPN → IPSec VPN) the icon with the globe and chainlink will be complete.
- To manually attempt to get the VPN connected, highlight the VPN rule and click the "Connect" option across the top.
- Check that the VPN Gateway and VPN Connection rules match on both sites. If the rules pre-shared key and security algorithms don't match the VPN will not establish.
- Contact Zyxel Technical support for additional support. Support is available Monday through Friday from 8AM to 5PM PT @ 800-255-4101 option 5 (Tech Support). You can also get email support by completing the "Support Request Form" here.
From the branch office, try to ping a device at the main office using the 10.10.10.x IP. Example: pinging 10.10.10.24 would be translated to 192.168.27.24 by SNAT when it reaches the main office.
- If the ping test fails, verify that the device you are testing against is set to respond to PING/ICMP requests.
- Disable the destination device firewall to make sure it is not blocking traffic.
- Disable the ZyWALL's firewall/policy control.
- Double check the SNAT setting for the VPN Connection policy/rule.
- Make sure the Policy Route on the main office is setup correctly, source address should be the real LAN IP and the destination should be the real branch office LAN IP, Next-Hop VPN Tunnel.
- Contact Zyxel Technical support for additional support. Support is available Monday through Friday from 8AM to 5PM PT @ 800-255-4101 option 5 (Tech Support). You can also get email support by completing the "Support Request Form" here.
From the main office, try to ping a device at the branch office, 192.168.101.x.
- If the ping test fails, verify that the device you are testing against is set to respond to PING/ICMP requests.
- Disable the destination device firewall to make sure it is not blocking traffic.
- Disable the ZyWALL's firewall/policy control.
- Make sure the Policy Route on the main office is setup correctly, source address should be the real LAN IP and the destination should be the real branch office LAN IP, Next-Hop VPN Tunnel.
- Contact Zyxel Technical support for additional support. Support is available Monday through Friday from 8AM to 5PM PT @ 800-255-4101 option 5 (Tech Support). You can also get email support by completing the "Support Request Form" here.
Comments
0 comments
Please sign in to leave a comment.