NAT Network for IPSEC tunnel

tunnel
vpn
ipsec
nat

#1

Hi Everyone,

I am new to this forum and I hope i will heve your support in finding a solution on my issue.
So, i have configured several Peers on my Vyos and I am going to configure a new one for a customer.
He has unfortunately same internal network as my local prefix and that´s why I need to NAT this network but I don´t know how to do it on Vyos. In addiction, will it cause some sort of issues on the other Peers?

In the configuration below I just exported one of out of the 4 Tunnel I created as an example. So how do I NAT the network: 10.60.0.0/16?
vpn {
ipsec {
esp-group esp {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha256
}
}
ike-group ike {
dead-peer-detection {
action restart
interval 15
timeout 60
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 5
encryption aes128
hash sha256
}
}
peer x.x.x.x {
authentication {
mode pre-shared-secret
pre-shared-secret
}
connection-type initiate
default-esp-group esp
description vE-K
ike-group ike
ikev2-reauth inherit
local-address y.y.y.y
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.60.0.0/16
}
remote {
prefix 192.168.1.0/24
}
}
}

thank you in advance :slight_smile:


#2

Hi,

You could configure IPSec VTI and hide subnets behind tunnel IP-address.

IPSec VTI: https://wiki.vyos.net/wiki/VTI_with_Palo_Alto
NAT: https://wiki.vyos.net/wiki/User_Guide#NAT