Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
IPSec tunnel with NAT

IPSec tunnel with NAT

Created: Dec 13, 2018 10:54:46Latest reply: Jun 8, 2020 06:14:46 1335 9 2 0 0
  Rewarded HiCoins: 0 (problem resolved)
View the author 1#
Hello all,


I have a scenario where I want to establish an IPSec tunnel from a AR1220 to a firewall, but, I need to NAT the LAN traffic before, because the remote LAN overlaps witht the one of the router.


Does anyone know how to approach this? I've tried to setup the scenario on eNSP but it didn't work.


Thanks.

Like (2) Dislike (0) Favorite(0) Share Report
Previous: 5G CPE Pro2
Next: How to upgrade NE40E-X2 From Bootrom?
Featured Answers

Recommended answer

(1) (0)
No.9527
Created Dec 14, 2018 07:54:17

please help confirm whether the LAN network is on AR side?
If so,
1. you should deny the ipsec tunnel segment in you acl rule which is for NAT, then apply it on the output interface
2. configure the common ipsec acl rule for your ipsec tunnel

for example:
acl number 3001
rule 5 deny ip source 172.60.60.0 0.0.0.255 destination 196.197.191.23 0
rule 10 deny ip source 172.60.60.0 0.0.0.255 destination 196.197.191.20 0
rule 15 permit ip
#
interface Cellular0/0/0
nat outbound 3001
View more
  • x
  • convention:

tolga
tolga Created Jun 8, 2020 05:10:27 (0) (0)
thanks  
All Answers
(0) (0)
2#
andsta
andsta Created Dec 13, 2018 11:02:34

Hello,

If I understand correctly you would like to creat an IPsec tunnel though NAT.
Please refer to the following link in the product documentation as a configuration example:
http://support.huawei.com/hedex/hdx.do?docid=EDOC1000163385&id=dc_cfg_ipsec_0063&text=Example%252520for%252520Establishing%252520an%252520IPSec%252520Tunnel%252520Through%252520NAT%252520Traversal&lang=en

Hope this helps.
View more
  • x
  • convention:
(1) (0)
3#
No.9527
No.9527 Created Dec 14, 2018 07:54:17

please help confirm whether the LAN network is on AR side?
If so,
1. you should deny the ipsec tunnel segment in you acl rule which is for NAT, then apply it on the output interface
2. configure the common ipsec acl rule for your ipsec tunnel

for example:
acl number 3001
rule 5 deny ip source 172.60.60.0 0.0.0.255 destination 196.197.191.23 0
rule 10 deny ip source 172.60.60.0 0.0.0.255 destination 196.197.191.20 0
rule 15 permit ip
#
interface Cellular0/0/0
nat outbound 3001
View more
  • x
  • convention:

tolga
tolga Created Jun 8, 2020 05:10:27 (0) (0)
thanks  
(0) (0)
4#
lpribeiro
lpribeiro Created Dec 14, 2018 18:58:18

Hello,

No, the purpose is not to create an IPSec tunnel with a NAT device on front. I need to NAT the LAN network before sending the traffic to the remote site, because the remote site has the same network.

In the example you have sent, it would be like having the network 10.1.0.0/24 on both sites.

Many thanks.
View more
  • x
  • convention:
(0) (0)
5#
Hawasli
Hawasli Created Dec 15, 2018 20:58:01

Need more information
View more
  • x
  • convention:
(0) (0)
6#
alfreds
alfreds Created Feb 26, 2019 06:45:27

Good Morning everyone,

I have the opposite scenario where I have established an IPSec tunnel from a AR1220 to a USG6330 firewall, but, I don't need to NAT the LAN traffic before, because the remote LAN IP addresses does not overlap,

Any solutions on this for me
View more
  • x
  • convention:
(0) (0)
7#
atif412
atif412 Created Jul 22, 2019 06:38:07

I have same issue, please help me to resolve this
View more
  • x
  • convention:
(10) (0)
8#
justinfox
justinfox Created Jun 7, 2020 23:32:04

thanks!!
View more
  • x
  • convention:
(0) (0)
9#
LilStylz237
LilStylz237 Created Jun 8, 2020 06:14:46

great
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.