SRX Services Gateway
Highlighted
SRX Services Gateway

How to apply NAT before policy based IPSEC VPN? Virtual router an option?

‎06-08-2016 06:09 AM

 

Hi all,

 

have an issue.

Need to set up an IPSEC VPN from Juniper SRX 240  to a third party, running PFSense firewall.

 

LAN subnet on my end is 10.0.0.0/24

The requirement is to have it NAT-ed (source NAT, dynamic ports) to 172.16.1.1/32 before sending into the IPSEC tunnel.

LAN subnet behind the remote PFSense is 192.168.1.0/24

 

I was wondering if I could create a virtual router, use it just for the purpose of NAT, and once NAT is done, to send it to current router?

 

The sequence should look like this:

10.0.0.0/24 -NAT- > 172.16.1.1/32 ->IPSEC tunnel -> 192.168.1.0/24

 

Thanks for your time!

 

Cheers,

 

Alex

 

 

2 REPLIES 2
SRX Services Gateway
Solution
Accepted by topic author Alex7
‎06-08-2016 07:31 AM

Re: How to apply NAT before policy based IPSEC VPN? Virtual router an option?

‎06-08-2016 06:49 AM

Hi Alex,

 

As you have mentioned , you can nat the traffic first and send it to a VR , you may terminate the VPN on the interface 

inside the VR and this should solve your problem.

However there are few points that you need to consider:

# The throuput would go down as for same traffic is traversing the SRX twice.

# The number of session would reduce.

# In short the overall efficiency of the SRX would reduce as for SRX traffic is doubled.

# It may work but Juniper doesn't support NAT on policy based VPN's so JTAC will not be able to move ahead on this issue.

 

Regards

Hemant

SRX Services Gateway

Re: How to apply NAT before policy based IPSEC VPN? Virtual router an option?

‎06-08-2016 05:29 PM

You can connect to a policy vpn on the remote device while still configuring a route based vpn on the SRX.  then you can apply nat to the vpn traffic without any extra configuration oddities.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home