In this article, we will describe how to configure Port forwarding in an IPsec VPN tunnel with the overlapped network on the router`s inside interface.
Sometimes it is necessary to provide access to hosts through the IPsec VPN on the remote sites, but either the remote subnet overlaps with the local IP range or, for security reasons, it is undesirable to have access to hosts directly.
In this case, it is possible to create a port forwarding rule on the inside interface of a remote VPN router. This article explains how to setup such a configuration on a Digi DAL router.
- Firstly, we need to set up a fake IP address on the remote router by which we will get access to the remote hosts.
To perform this task, we setup a static route to a fake network through the router`s local LAN interface.
- Add this network to the traffic selector policy that defines the network traffic that will be encapsulated by this VPN tunnel.
- Next, we must create a custom firewall rule which replaces the LAN`s IP address of the packet forwarded to the remote site(in this example, we use subnet 192.168.168.0/24 on the remote side of the VPN tunnel)
iptables -t nat -A PREROUTING -i ipsec_TO_IX20W -d 192.168.41.1/32 -j NETMAP --to 192.168.168.0/24
iptables -t nat -I POSTROUTING -o ipsec_TO_IX20W -s 192.168.168.0/24 -j NETMAP --to 192.168.41.1/32
- Don`t forget to allow access to the local network from the IPsec Zone.
- Next, we must add port forwarding rules to the services on the hosts behind the LAN interface. In this example, we push SSH and HTTPS traffic to the host behind the local interface of the Digi router.
iptables -t nat -I PREROUTING -d 192.168.41.1 -m tcp -p tcp --dport 9001 -j DNAT --to-destination 192.168.168.54:22
iptables -t nat -I PREROUTING -d 192.168.41.1 -m tcp -p tcp --dport 9443 -j DNAT --to-destination 192.168.168.54:443
Below is the final configuration of the custom firewall rules for such deployment.
Last updated:
Jan 01, 2024