DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

LAN to LAN VPN using specified NAT at both ends.

  • marcusd
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
12 May 2020 10:16 #96173 by marcusd
Hi, I could do with a bit of help please.

I've got a few customers we need to set up new LAN to LAN VPN connections for, so they can all connect to a host, as the host is moving and the VPN which we setup previously is changing.

The host has given me basic details about the IPsec connection, such as IKEv2, ESP, Pre Shared Key, their WAN address etc.
They have specified a NAT range at their end of 100.97.2.0/28 and given me a NAT address for my end of 100.97.7.240/29 for my test connection. The form for each client just says "Your IP's should be NATed behind a carrier grade IP range (/29) in the 100.97.4.0/22 range".

Now in the past, with the current setup, we just made sure all client LAN IP ranges were different on each site, such as 192.168.25.X for one customer and 192.168.26.x for another, so didn't need these NAT addresses setting up at each end as all subnets were unique. Now of course, they are dealing with this by using these unique NAT addresses at each end of the tunnels.

They are using a Cisco ASA cluster at their end and are not familiar with Drayteks, so can't help me with the setup. All I've been told is this.

"I’m not very familiar with Draytek devices.
Your local LAN will not change, but you will instead NAT this behind the provided 100.97.7.240/29 range.
It’s primarily used for communication between the VPN peers and we use this to avoid overlapping ranges with different customers.

Comms would flow like:
Your LAN -> NAT > Their NAT > Their LAN

You will need to create the VPN tunnel using the 100.97.x.x address ranges, and provide an outgoing NAT for your local LAN."

Any tips please, because setting up the LAN to LAN profile as I normally would doesn't appear to be working?
This is the current setup under the LAN to LAN profile page, basing it on the old setup, which left the My WAN IP and Remote Gateway IP as blank.

My WAN IP 0.0.0.0
Remote Gateway IP 0.0.0.0
Remote Network IP 100.97.2.0
Remote Network Mask 255.255.255.240/28
Local Network IP 100.97.2.240

Sorry, forgot to say, I'm testing this on a 2862n Vigor and will need to upgrade most of the others are they are mainly 2830's and not capable of the required IKE v2. The server end is a Cisco ASA Cluster.
Local Network Mask 255.255.255.248/29

I'm not sure where I should be setting up these 100.97.X.X ranges for both ends, other than the setting above.

Cheers.

Please Log in or Create an account to join the conversation.

  • marcusd
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
12 May 2020 10:20 #96174 by marcusd
The tunnel is now up, they had the wrong WAN address at their end. It's up now.
I still can't ping or send packets to their NAT address.

I've just got to replace most of the older routers as they need IKEv2, which is only supported on 2860 and newer with updated firmware.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami