08-08-2017 08:11 AM
I have an SSG5 which connects direct to the Internet using PPoE. So it has a static Public IP on the untrusted interface.
A VPN tunnel from the LAN connects to a data center in Japan. This has been working successfully for many years.
Now I need to put it behind a router. This will result in the untrusted zone IP being a NAT address in the range of 192.168.1.0/24
As soon as I do this, I cannot connect to the servers in Japan. The VPN tunnel, however, is up: just no data is returned. I do know that the Japanese filter based upon my public IP address as a security precaution.
Acting on a hunch, I added in another router, so my network looked like this:
INTERNET-----59.167.x.x-ROUTER 1-192.168.1.1-----192.168.1.2-ROUTER 2-59.167.x.1-----59.167.x.x-SSG5-192.168.10.1-----LAN
I hope this makes sense: the Router 2 made a NAT internal network with a subnet containing my real public IP address, and assigned that to the untrusted interface on my SSG5. This actually worked, and I could connect to the servers once again.
Obviously triple NAT is not desirable, and is a major hack! So how do I remove ROUTER 2, and tell the SSG5 to replace the 192.168.1.x address with my public address 59.167.x.x for the vpn tunnel?
Any advice would be much appreciated!
08-08-2017 09:27 PM
Thanks for pointing me in the right direction.
The only place I can see NAT Traversal is for the VPN Gateway (VPNs/AutoKey Advanced/Gateway/Edit/Advanced).
I've tried enabling that, yet it doesn't seem to make any difference: Tunnel still comes up, but no traffic. Is there somewhere else I should be enabling NAT Traversal?
08-14-2017 08:03 PM
Did NAT-T actually kick-in when you were being NAT-ed to the 192.168.x.x alone? You can verify it by checking the 'get sa' output. The port number would show 4500, instead of 500.
You may want to enable NAT-T on the remote peer device as well.