How to Configure IPSec VPN Tunnel with NAT Traversal

203132

Created On 09/26/18 13:47 PM - Last Modified 11/09/23 01:15 AM

IPSec

NAT

Next-Generation Firewall

Environment

Next-Gen Firewall
IPSec VPN Tunnel with NAT Traversal
Example Topology used
- PA1 ----- PA_NAT ----- PA2
- Public IP of PA1 - 172.16.9.163
- Public IP of PA2 - 172.16.9.160
- Public IP of PA_NAT - 172.16.9.171
- PA2 Public IP 172.16.9.160 will get NATTED to PA_NAT Public IP 172.16.9.171

Procedure

Note:

Use default values for IKE Crypto and IPSec Crypto Profiles.
Nat Traversal option is mandatory
NAT-Traversal in an IPSEC Gateway

Configure IKE Gateway on PA1
1. Network> Network Profiles> IKE Gateway> click Add

Configure IPSec Tunnel on PA1
1. Network> IPSec Tunnel> Click Add

Configure IKE Gateway on PA2
1. Network> Network Profiles> IKE Gateway> click Add

Configure IPSec Tunnel on PA2
1. Network> IPSec Tunnel> Click Add

Configure Bi-Directional NAT Configuration on PA_NAT Device from POLICIES> NAT> Click Add
1. Shown below NAT is configured for traffic from Untrust to Untrust as PA_NAT device is receiving UDP traffic from PA2 on its Untrust interface and it is being routed back to PA1 after applying NAT Policy.

Shown below is the bi-directional NAT rule for both UDP Ports 500 and 4500:

> show running nat-policy
NAT_T_IPSEC {
from Untrust;
source 172.16.9.160;
to Untrust;
to-interface  ;
destination 172.16.9.163;
service [ udp/any/500 udp/any/4500 ];
translate-to "src: 172.16.9.171 (static-ip) (pool idx: 2)";
terminal no;
}

NAT_T_IPSEC {
from any;
source any;
to Untrust;
to-interface  ;
destination 172.16.9.171;
service [ udp/any/500 udp/any/4500 ];
translate-to "dst: 172.16.9.160";
terminal no;
}

Initiate IPSec VPN tunnel from PA2 (172.16.9.160) from CLI

> test vpn ike-sa
Initiate IKE SA: Total 1 gateways found. 1 ike sa found.


> test vpn ipsec-sa
Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

On PA_NAT Device, see the following sessions:

> show session all filter application ike
--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
14211        ike            ACTIVE  FLOW  NS   172.16.9.160[500]/Untrust/17  (172.16.9.171[500])
vsys1                                          172.16.9.163[500]/Untrust  (172.16.9.163[500])


 > show session all filter destination-port 4500
--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
14210        ipsec-esp-udp  ACTIVE  FLOW  NS   172.16.9.160[4500]/Untrust/17  (172.16.9.171[4500])
vsys1                                          172.16.9.163[4500]/Untrust  (172.16.9.163[4500])

Verify Tunnels are UP on both PA1 and PA2 on GUI from NETWORK> IPSec Tunnels

PA1:

PA2:

How to Configure IPSec VPN Tunnel with NAT Traversal

Environment

Procedure

Other users also viewed: