One of our clients required to connect all of its client via VPN tunnel. Obviously, to have the highest comparability with customer’s end devices I chose IPSec. To improve security as well as have theĀ lowest impact to the clients in case we had to make some changes we had the following requirement. All traffic originating from us inside IPSec tunnel had to be NATed as well as clients had to NAT all of their traffic. We used Vyatta as our VPN concentrator. I had little experience with Vyatta and found there is a luck of documentation. This document assumes you have basic knowledge of NAT and IPSec configuration of Vyatta.
Basic diagram to help you visualize:
First, Lets create outbound rule so your LAN can communicate with Internet (if required):
rule 100 {
outbound-interface eth0
source {
address 192.168.7.0/24
}
type masquerade
}
}
Secondly we need to NAT server to 172.30.255.100
rule 49 {
description “Nated Server”
destination {
address 172.30.255.100
}
inbound-interface eth0
inside-address {
address 192.168.7.5
}
protocol all
type destination
Next we apply outbound NAT to all traffic designated for IPSec tunnel:
rule 91 {
destination {
address 172.30.255.100/32
}
outbound-interface eth0
outside-address {
address 172.30.255.100
}
source {
address 192.168.7.5
}
type source
}
And finally IPSec tunnel itself:
vpn {
ipsec {
esp-group POS_ESP {
compression disable
lifetime 28800
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group POS_IKE {
lifetime 86400
proposal 1 {
dh-group 5
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 6.7.8.9 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
description “Client01”
ike-group POS_IKE
local-ip 72.72.1.4
tunnel 1 {
esp-group POS_ESP
local-subnet 172.30.255.100/32
remote-subnet 172.30.255.101/32
}
}
}
That’s all. You should have NATed flow of traffic inside IPSec tunnel.