[Top] [Prev] [Next] [Bottom]

Using VPNs With NAT

This document shows how to set up different types of VPNs when you are also running Network Address Translation (NAT). It includes the following sections:

Source Address Considerations

VPN Between Two Routers With NAT on Remote Router

VPN Between a Router With NAT and a SunScreen SKIP Client

VPN Between Two Routers With NAT on Two Interfaces on Remote Router

Running VPN and NAT on Two Separate Routers at the Same Site

Note: Each of the examples in this chapter assumes you have already added an IP tunnel with SKIP and created a certificate as described in Creating an IP Tunnel With SKIP and Creating Certificates.

Source Address Considerations

 OpenROUTE Networks recommends that you not manually set a source address for an IP Tunnel when you are also using NAT on the physical interface.

If you set a source address, NAT could translate the source IP address of the IP Tunnel to the NAT global IP address after SKIP authentication used the original source IP address for checksumming purposes.

When the remote tunnel endpoint receives this packet, the packet will fail SKIP authentication because the packet has been "tampered with" by NAT, and the remote endpoint will discard the packet.

Using the default settings for source address avoids this situation because both the source address of the IP tunnel and the NAT global IP address automatically default to the same IP address, the address of the physical WAN interface. Therefore, NAT does not translate the source IP address.

If you must change the tunnel source address on a router running both NAT and an IP Tunnel with SKIP, you need to prevent NAT from translating the SKIP packet by

VPN Between Two Routers With NAT on Remote Router

 In Figure 12, there is an IP Tunnel with SKIP running between two routers. The Remote router is running Network Address Translation (NAT) on its WAN interface.

Figure 12 VPN Between Two Routers With NAT on the Remote Router

Each router in Figure 12 has the following interfaces:

Figure 13 Routing Tables and Addressing For VPN Between
Two Routers With Remote Router Running NAT

Setting Up the Router Remote

The following steps show how to configure the router Remote in Figure 13. These steps assume you have already created a tunnel, enabled SKIP, and created a certificate on each router. If you haven't, see Creating an IP Tunnel With SKIP and Creating Certificates.

1. Display the circuit configuration prompt for the IP Tunnel interface. 

Config>network 6
Circuit Configuration
Circuit Config <NET-6>
2. Set a destination name for router Central. 

Circuit Config <NET-6> set destination
Assign destination address name [] central
3. At the IP Tunnel prompt, assign an IP address to the destination Central. 

Circuit Config <NET-6> iptnl
IP Tunnel Configuration
IP Tunnel <NET-6> set destination-address central
IP Tunnel Destination Address? 128.185.20.1
IP Tunnel <NET-6> exit

Note: You do not have to explicitly add the destination Central at the IP Tunnel prompt because you already set the destination at the Circuit Config> prompt. If you configure the IP Tunnel before you set the destination, you must add the destination at the IP Tunnel prompt using the add remote command.
4. Configure SKIP to use Central's MD5/UDH signature as the remote name included in packets sent to Central. Remote also uses the signature to request Central's UDH certificate.

The MD5/UDH signature you enter in this step is the signature that Central displayed when you created a certificate on that router. 

Circuit Config <NET-6> skip
SKIP Configuration

SKIP Config <NET-6> set remote-name central md5/udh
Peer's MD5/UDH Signature? 0011-2233-4455-6677-8899-AABB-CCDD-EEFF
Notes:

5. Add an IP address for the IP Tunnel interface.

Answer No to the prompt "Is this interface a tunnel to a single SKIP PC or workstation" because the router at the other end of the tunnel is providing access for a LAN, not a single PC. 

SKIP Config <NET-6> exit
Circuit Config <NET-6> exit
Config> protocol ip
IP config>add address
Which net is this address for [0]? 6
New address [0.0.0.0]? 0.0.0.6
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): no
6. Add a default route to Interface 1, the WAN interface. Indicate that the route is a default route by entering an IP destination of 0.0.0.0 and a mask of 0.0.0.0. 

IP config>add route
IP destination [0.0.0.0]?
Address mask [0.0.0.0]?
Via gateway at [0.0.0.0]? 0.0.0.1
Cost [1]?
7. Enable NAT on Interface 1. 

NAT Config>enable nat
Interface number [1]?
Default NAT interface created
NAT enabled on interface 1
8. Enable RIP or OSPF on the tunnel interface or add a static route that sends all traffic destined for the private network at the Central site, 128.185.0.0, through the tunnel interface, Interface 6. This route requires a 16-bit mask, 255.255.0.0. 

IP config>add route
IP destination [0.0.0.0]?128.185.0.0
Address mask [255.255.0.0]?
Via gateway at [0.0.0.0]? 0.0.0.6
Cost [1]?
9. Restart the router to activate the new configuration.

Setting Up the Router Central

 The following steps show how to configure the router Central in Figure 13. These steps assume you have already created a tunnel, enabled SKIP, and created a certificate on each router. If you haven't, see Creating an IP Tunnel With SKIP and Creating Certificates.

Central still requires a fixed IP address (128.185.20.1) that becomes the tunnel destination address for Remote.

1. Display the circuit configuration prompt for the tunnel interface. 

Config>network 6
Circuit Configuration
Circuit Config <NET-6>
2. Optionally, set the name of the remote site to which this IP tunnel connects. If you have multiple remote sites sharing IP tunnels, do not set a specific destination for the tunnel. As remote sites dial in, the router assigns tunnels on a first-come, first-served basis.

Note: You do not need to know the address of the remote site. SKIP identifies the remote site by mapping the SKIP MD5/UDH signature in each packet to the name the administrator of the remote site assigned. In this case, that name is Remote.

Circuit Config <NET-6> set destination 
Assign destination address name [ ]? remote
3. Set the other router's certificate signature as the name SKIP expects in packets from the remote destination. 

Circuit Config <NET-6> skip
SKIP Configuration

SKIP Config <NET-6> set remote-name remote md5/udh
Peer's MD5/UDH Signature? 8033-CCC1-87DB-8367-FAAB-52A2-03A2-1BAE

Note: You do not need to explicitly add the remote destination name to the SKIP configuration because you set the destination to Remote at the Circuit Config> prompt.
4. To cause Central to identify itself to Remote, set the local router name to the signature of Central's local 1024-bit UDH certificate. 

SKIP Config <NET-6> set local-name default local/udh 1024

Note: Since this example uses default, this setting is the default for all SKIP tunnels that this router originates.
5. Assign an IP address to the IP tunnel interface. 

SKIP Config <NET-6> exit
Circuit Config <NET-6> exit
Config>protocol ip
Internet protocol user configuration

IP config>add address
Which net is this address for [0]? 6
New address [0.0.0.0]? 0.0.0.6
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): no
6. Add a default route to Interface 1, the WAN interface. Indicate that the route is a default route by entering an IP destination of 0.0.0.0 and a mask of 0.0.0.0. 

IP config>add route
IP destination [0.0.0.0]?
Address mask [0.0.0.0]?
Via gateway at [0.0.0.0]? 0.0.0.1
Cost [1]?
7. Enable RIP or OSPF on the tunnel interface or add a static route that sends all traffic destined for the private network at the Remote site, 10.10.2.0, through the tunnel interface, Interface 6. This route requires a 24-bit mask, 255.255.255.0. 

IP config>add route
IP destination [0.0.0.0]?10.10.2.0
Address mask [255.255.0.0]?255.255.255.0
Via gateway at [0.0.0.0]? 0.0.0.6
Cost [1]?
8. Restart the router to activate the new configuration.

VPN Between a Router With NAT and a SunScreen SKIP Client

 In Figure 14, a remote PC securely accesses the protected network using SunScreen SKIP for Windows.

Figure 14 VPN with SunScreen SKIP for Windows

In this configuration, the remote user runs SunScreen SKIP for Windows to access the protected LAN (at 10.30.3.0) over a tunnel that ends at 128.185.30.2.

IP addressing in this setup works as follows:

Figure 15 Routing Tables and Addressing For a Router Running VPN with NAT Connecting to a SunScreen SKIP PC

Configuring SunScreen SKIP for Windows

Follow the instructions that Sun Microsystems provides to install and set up SunScreen SKIP for Windows. In particular, make sure you configure the following using the SunScreen SKIP software.

You must use SunScreen SKIP in its Tunnel Mode.

1. Set the password required to enable SKIP on the PC.

2. Create a private key and its associated public certificate.

The software displays the MD5 signature of the certificate. In Figure 15, the example value SunScreen SKIP displays is 0011-2233-4455-6677-8899-AABB-CCDD-EEFF. You enter this number in the router configuration later.

3. In the SKIP Access Manager, do the following:

a. Select the interface (LAN or WAN) that needs SKIP.
b. Enable SKIP on the interface and add the remote network that SKIP accesses. In Figure 15, this network is 10.30.3.0.
c. Select the type Network. This is important, OpenROUTE does not support the Host type. Fill in the following:

-Network accessed via SKIP, 10.30.3.0 in this example

-Security type, SKIP

-Tunnel endpoint address, 128.185.30.2 in this example

-NetMask, 255.255.255.0 in this example

4. Enter the router's MD5/UDH signature as the certificate the Sun SunScreen software requires. (8033-CCC1-87DB-8367-FAAB-52A2-03A2-1BAE.)

5. Select MD5/UDH as the local key type. This is required because the router identifies the PC by the MD5 signature of the PC's certificate.

6. SunScreen SKIP requests the router's certificate as soon as you are done configuring the client PC, so the PC must have access to the router over the network.

Setting Up the Router

The following steps show how to configure the router in Figure 14 and in Figure 15. These steps assume you have already created a tunnel, enabled SKIP, and created a certificate on each router. If you haven't, see Creating an IP Tunnel With SKIP and Creating Certificates.

1. Display the SKIP configuration prompt for the IP Tunnel interface. 

Config>network 6
Circuit Configuration
Circuit Config <NET-6> skip
SKIP Configuration
SKIP Config <NET-6>
2. Add the name of the remote user, jimmy in this example, as a destination in SKIP. 

SKIP Config <NET-6> add remote jimmy
3. Enter the signature of jimmy's certificate as the remote name the router uses when sending packets to jimmy. The administrator of the destination jimmy, supplies the signature. 

SKIP Config <NET-6> set remote-name jimmy md5/udh
Peer's MD5/UDH Signature? 0011-2233-4455-6677-8899-AABB-CCDD-EEFF
4. Set the local name of the router as the signature of the router's 512-bit UDH certificate. (The router uses the MD5 signature of the certificate as the router's local name.) 

SKIP Config <NET-6> set local-name jimmy local/udh 512
5. Exit the SKIP configuration and display the IP configuration prompt. 

SKIP Config <NET-6> exit
Circuit Config <NET-6> exit
Config>protocol ip
Internet protocol user configuration
IP config>
6. Assign an IP address to the IP tunnel interface. You assign the address of the remote client so that the router sends packets to that client through the tunnel rather than directly over the Internet.

Since the SKIP client in this example uses a dynamically-assigned IP address, add a dynamic IP address to the SKIP interface. To do so, use 0.0.0.n, where n is the interface number. Answer Yes to the prompt, "Is this interface a tunnel to a single SKIP PC or workstation." (See IP Addressing on Interfaces That Connect to a SunScreen SKIP for Windows Client.) 

IP config>add address
Which net is this address for [0]? 6
New address [0.0.0.0]? 0.0.0.6
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): yes
7. Add a default route to Interface 1, the WAN interface. Indicate that the route is a default route by entering an IP destination of 0.0.0.0, and a mask of 0.0.0.0. 

IP config>add route
IP destination [0.0.0.0]?
Address mask [0.0.0.0]?
Via gateway at [0.0.0.0]? 0.0.0.1
Cost [1]?
8. Enable NAT on Interface 1. 

NAT Config>enable nat
Interface number [1]?
Default NAT interface created
NAT enabled on interface 1
9. Restart the router to activate the new configuration so that the PC user can connect.

VPN Between Two Routers With NAT on Two Interfaces on Remote Router

 Figure 16 is similar to the VPN Between Two Routers With NAT on Remote Router example, except that the router Remote is running NAT on two interfaces, its physical WAN interface and its IP Tunnel interface.

In this example, the router Remote simulates a single SKIP PC connection to the router Central. The advantage to this configuration is that if you have many remote sites connecting to a central site router, you do not have to set up static routes on the central router to each remote site. You also do not need to have non-overlapping private IP addresses on your remote sites because NAT hides those private addresses from other sites. For this configuration to work, the remote sites must always initiate sessions to the central site.

Figure 16 VPN Between Two Routers With NAT on
Two Interfaces on Remote Router

Each router in Figure 16 has the following interfaces:

Figure 17 VPN Between Two Routers With
Remote Router Running NAT on Two Interfaces

Setting Up the Router Remote

The following steps show how to configure the router Remote in Figure 17. These steps assume you have already created a tunnel, enabled SKIP, and created a certificate on each router. If you haven't, see Creating an IP Tunnel With SKIP and Creating Certificates.

1. Display the circuit configuration prompt for the IP Tunnel interface. 

Config>network 6
Circuit Configuration
Circuit Config <NET-6>
2. Set a destination name for router Central. 

Circuit Config <NET-6> set destination
Assign destination address name [] central
3. At the IP Tunnel prompt, assign an IP address to the destination Central. 

Circuit Config <NET-6> iptnl
IP Tunnel Configuration
IP Tunnel <NET-6> set destination-address central
IP Tunnel Destination Address? 128.185.30.1
IP Tunnel <NET-6> exit

Note: You do not have to add the destination Central at the IP Tunnel prompt because you already set the destination at the Circuit Config> prompt. If you configure the IP Tunnel before you set the destination, you must add the destination at the IP Tunnel prompt using the add remote command.
4. Configure SKIP to use Central's MD5/UDH signature as the remote name included in packets sent to Central. Remote also uses the signature to request Central's UDH certificate.

The MD5/UDH signature you enter in this step is the signature that Central displayed when you created a certificate on that router. 

Circuit Config <NET-6> skip
SKIP Configuration

SKIP Config <NET-6> set remote-name central md5/udh
Peer's MD5/UDH Signature? 0011-2233-4455-6677-8899-AABB-CCDD-EEFF
Notes:

5. Add an IP address for the IP tunnel interface.

Answer No to the prompt "Is this interface a tunnel to a single SKIP PC or workstation" because the router at the other end of the tunnel is providing access for a LAN, not a single PC. 

SKIP Config <NET-6> exit
Circuit Config <NET-6> exit
Config> protocol ip
IP config>add address
Which net is this address for [0]? 6
New address [0.0.0.0]? 0.0.0.6
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): no
6. Add a default route to Interface 1, the WAN interface. Indicate that the route is a default route by entering an IP destination of 0.0.0.0 and a mask of 0.0.0.0. 

IP config>add route
IP destination [0.0.0.0]?
Address mask [0.0.0.0]?
Via gateway at [0.0.0.0]? 0.0.0.1
Cost [1]?
7. Enable NAT on Interface 1, the WAN interface. 

NAT Config>enable nat
Interface number [1]?
Default NAT interface created
NAT enabled on interface 1
8. Enable NAT on Interface 6, the Tunnel interface. 

NAT Config>enable nat
Interface number [6]?
Default NAT interface created
NAT enabled on interface 6
9. Add a static route that sends all traffic destined for the private network at the Central site, 128.185.0.0, through the tunnel interface, Interface 6. This route requires a 16-bit mask, 255.255.0.0. 

IP config>add route
IP destination [0.0.0.0]?128.185.0.0
Address mask [255.255.0.0]?
Via gateway at [0.0.0.0]? 0.0.0.6
Cost [1]?
10. Restart the router to activate the new configuration.

Setting Up the Router Central

 The following steps show how to configure the router Central. These steps assume you have already created a tunnel, enabled SKIP, and created a certificate on each router. If you haven't, see Creating an IP Tunnel With SKIP and Creating Certificates.

Central requires a fixed IP address (128.185.30.1) that becomes the tunnel destination address for Remote.

1. Display the circuit configuration prompt for the tunnel interface. 

Config>network 6
Circuit Configuration
Circuit Config <NET-6>
2. Optionally, set the name of the remote site to which this IP tunnel connects. If you have multiple remote sites sharing IP tunnels, do not set a specific destination for the tunnel. As remote sites dial in, the router assigns tunnels on a first-come, first-served basis.

Note: You do not need to know the address of the remote site. SKIP identifies the remote site by mapping the SKIP MD5/UDH signature in each packet to the name the administrator of the remote site assigned. In this case, that name is Remote.

Circuit Config <NET-6> set destination 
Assign destination address name [ ]? remote
3. Set the other router's certificate signature as the name SKIP expects in packets from the remote destination. 

Circuit Config <NET-6> skip
SKIP Configuration

SKIP Config <NET-6> set remote-name remote md5/udh
Peer's MD5/UDH Signature? 8033-CCC1-98DB-8367-FAAB-52A2-03A2-1BAE

Note: You do not need to explicitly add the remote destination name to the SKIP configuration because you set the destination to Remote at the Circuit Config> prompt.
4. To cause Central to identify itself to Remote, set the local router name to the signature of Central's local 1024-bit UDH certificate. 

SKIP Config <NET-6> set local-name default local/udh 1024

Note: Since this example uses default, this setting is the default for all SKIP tunnels that this router originates.
5. Assign an IP address to the IP tunnel interface. You assign the address of the remote client so that the router sends packets to that client over the tunnel rather than directly over the Internet.

Since the SKIP client in this example uses a dynamically-assigned IP address, add a dynamic IP address to the SKIP interface. To do so, use 0.0.0.n, where n is the interface number.

Even though this tunnel connects to a router and not a single PC, answer Yes to the prompt, "Is this interface a tunnel to a single SKIP PC or workstation." Because NAT is running on both the physical WAN interface and the IP Tunnel interface on the Remote router, the remote site uses only one global IP address. The remote site therefore simulates a single SKIP PC connection to the central site. (See IP Addressing on Interfaces That Connect to a SunScreen SKIP for Windows Client.) 

SKIP Config <NET-6> exit
Circuit Config <NET-6> exit
Config>protocol ip
Internet protocol user configuration

IP config>add address
Which net is this address for [0]? 6
New address [0.0.0.0]? 0.0.0.6
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): yes
6. Add a default route to Interface 1, the WAN interface. Indicate that the route is a default route by entering an IP destination of 0.0.0.0 and a mask of 0.0.0.0. 

IP config>add route
IP destination [0.0.0.0]?
Address mask [0.0.0.0]?
Via gateway at [0.0.0.0]? 0.0.0.1
Cost [1]?
7. Restart the router to activate the new configuration.

Running VPN and NAT on Two Separate Routers at the Same Site

 In some cases you may wish to run NAT and VPN on two separate routers. For performance or administrative reasons, you may want one router to handle encryption and compression and the other router to handle NAT. Figure 18 shows the IP addresses at a site that has a NAT router and a VPN router.

Figure 18 VPN Between Two Routers With NAT on the Remote Router

In order for SKIP authentication to work in this case, you need several public IP addresses. When you configure NAT, you need to add a fixed one-to-one no-translation address mapping so that NAT does not translate the address of the VPN router.

To set up this mapping, enter

NAT Config>add fixed-ip-mappings 
Public outside address [0.0.0.0]? 128.185.20.2
Mask [255.255.255.255]? 
Private inside address [0.0.0.0]? 128.185.20.2
By setting the outside and inside addresses to the same value, you essentially cause NAT to not translate this address.


[Top] [Prev] [Next] [Bottom]

docs@openroute.com
Copyright © 1999, OpenROUTE Networks, Inc. All rights reserved.