Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
0
Helpful
1
Replies

Site to site vpn behind nat'ing router

sgadsby
Level 1
Level 1

‎12-14-2004 06:14 PM - edited ‎02-21-2020 01:30 PM

Hello,

I was wondering if it is possible to set up a VPN tunnel between 2 sites? Each site would have a 16XX router behind another NATing router or Firewall, like a Linksys or a Linux box.

Thank you.

Labels:
0 Helpful
1 Reply 1

matthew.long
Level 1
Level 1

‎12-15-2004 04:24 AM

yes.....depending on your nat device

For a VPN tunnel to work you need to forward the ESP protocol and the ISAKMP Packets using statis Nat. Many cheap Nat routers don't support this type of redirection. Also, if they randomise packet numbering then this can break the VPN as well.

for example on a PIX firewall you would do

station (inside, outside) External_IP Internal_IP netmask 255.255.255.255 0 0

and then permit the IPSEC traffic through via an access list

access-list OUTSIDE_ACCESS_IN permit udp any host External_IP eq isakmp

access-list OUTSIDE_ACCESS_IN permit esp any host External_IP

Start by looking to see it the device support static nat and IPSEC Pass-thru

0 Helpful
Customers Also Viewed These Support Documents