{"id":83,"date":"2011-12-29T10:11:35","date_gmt":"2011-12-29T17:11:35","guid":{"rendered":"http:\/\/blog.gptnet.net\/?p=83"},"modified":"2011-12-29T10:13:04","modified_gmt":"2011-12-29T17:13:04","slug":"connecting-2-lans-with-the-same-subnet-via-vyatta-ipsec-tunnel","status":"publish","type":"post","link":"http:\/\/blog.gptnet.net\/?p=83","title":{"rendered":"Connecting 2 LANs with the same subnet via Vyatta IPSec tunnel"},"content":{"rendered":"<p>One of our clients required to connect all of its client via VPN tunnel. Obviously, to have the highest comparability with customer&#8217;s end devices I chose IPSec. To improve security as well as have the\u00a0 lowest impact to the clients in case we had to make some changes we had the following requirement. All traffic originating from us inside IPSec tunnel had to be NATed as well as clients had to NAT all of their traffic. We used Vyatta as our VPN concentrator. I had little experience with Vyatta and found there is a luck of documentation. This document assumes you have basic knowledge of NAT and IPSec configuration of Vyatta.<\/p>\n<p><!--more--><\/p>\n<p>Basic diagram to help you visualize:<\/p>\n<p><a href=\"http:\/\/blog.gptnet.net\/wp-content\/uploads\/2011\/12\/img1.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone  wp-image-87\" title=\"img1\" src=\"http:\/\/blog.gptnet.net\/wp-content\/uploads\/2011\/12\/img1-300x75.jpg\" alt=\"\" width=\"585\" height=\"141\" \/><\/a><\/p>\n<p>First, Lets create outbound rule so your LAN can communicate with Internet (if required):<\/p>\n<p>rule 100 {<br \/>\noutbound-interface eth0<br \/>\nsource {<br \/>\naddress 192.168.7.0\/24<br \/>\n}<br \/>\ntype masquerade<br \/>\n}<br \/>\n}<\/p>\n<p>Secondly we need to NAT server to 172.30.255.100<\/p>\n<p>rule 49 {<br \/>\ndescription &#8220;Nated Server&#8221;<br \/>\ndestination {<br \/>\naddress 172.30.255.100<br \/>\n}<br \/>\ninbound-interface eth0<br \/>\ninside-address {<br \/>\naddress 192.168.7.5<br \/>\n}<br \/>\nprotocol all<br \/>\ntype destination<\/p>\n<p>Next we apply outbound NAT to all traffic designated for IPSec tunnel:<\/p>\n<p>rule 91 {<br \/>\ndestination {<br \/>\naddress 172.30.255.100\/32<br \/>\n}<br \/>\noutbound-interface eth0<br \/>\noutside-address {<br \/>\naddress 172.30.255.100<br \/>\n}<br \/>\nsource {<br \/>\naddress 192.168.7.5<br \/>\n}<br \/>\ntype source<br \/>\n}<\/p>\n<p>And finally IPSec tunnel itself:<\/p>\n<p>vpn {<br \/>\nipsec {<br \/>\nesp-group POS_ESP {<br \/>\ncompression disable<br \/>\nlifetime 28800<br \/>\nmode tunnel<br \/>\npfs enable<br \/>\nproposal 1 {<br \/>\nencryption 3des<br \/>\nhash sha1<br \/>\n}<br \/>\n}<br \/>\nike-group POS_IKE {<br \/>\nlifetime 86400<br \/>\nproposal 1 {<br \/>\ndh-group 5<br \/>\nencryption 3des<br \/>\nhash sha1<br \/>\n}<br \/>\n}<br \/>\nipsec-interfaces {<br \/>\ninterface eth0<br \/>\n}<br \/>\nsite-to-site {<br \/>\npeer 6.7.8.9 {<br \/>\nauthentication {<br \/>\nmode pre-shared-secret<br \/>\npre-shared-secret ****************<br \/>\n}<br \/>\ndescription &#8220;Client01&#8221;<br \/>\nike-group POS_IKE<br \/>\nlocal-ip 72.72.1.4<br \/>\ntunnel 1 {<br \/>\nesp-group POS_ESP<br \/>\nlocal-subnet 172.30.255.100\/32<br \/>\nremote-subnet 172.30.255.101\/32<br \/>\n}<br \/>\n}<br \/>\n}<\/p>\n<p>That&#8217;s all. You should have NATed flow of traffic inside IPSec tunnel.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of our clients required to connect all of its client via VPN tunnel. Obviously, to have the highest comparability with customer&#8217;s end devices I chose IPSec. To improve security as well as have the\u00a0 lowest impact to the clients &hellip; <a href=\"http:\/\/blog.gptnet.net\/?p=83\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[28,30,32,31,29],"class_list":["post-83","post","type-post","status-publish","format-standard","hentry","category-random-stuff","tag-ipsec","tag-nat","tag-outbound-nat","tag-same-subnet","tag-vyatta"],"_links":{"self":[{"href":"http:\/\/blog.gptnet.net\/index.php?rest_route=\/wp\/v2\/posts\/83","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.gptnet.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.gptnet.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.gptnet.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.gptnet.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=83"}],"version-history":[{"count":10,"href":"http:\/\/blog.gptnet.net\/index.php?rest_route=\/wp\/v2\/posts\/83\/revisions"}],"predecessor-version":[{"id":95,"href":"http:\/\/blog.gptnet.net\/index.php?rest_route=\/wp\/v2\/posts\/83\/revisions\/95"}],"wp:attachment":[{"href":"http:\/\/blog.gptnet.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=83"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.gptnet.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=83"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.gptnet.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=83"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}