Before going further into the technical aspects, it is good to introduce two scenarios.
- Branch Office VPN : This term is typically used to connect offices of an organization over public Internet with IPsec VPN security.
- Partner VPN : This term is typically used to connect some part of network or machine(s) with partner network securely using IPsec VPN.
While connecting with Partners, one can't assume that the private networks of partners are unique. It is very much possible that both the networks might have same private IP address networks. Hence the IPsec VPN must always happen with public IP addresses. In this case, typically source NAT is applied before IPsec VPN is applied on the packet. Source NAT translated the local network IP addresses to public IP address and the IPsec sessions negotiated with public IP addresses.
Note that it is also possible that a given a branch office VPN router, not only used to connect to the other offices of the organization, nut also connect partner networks. So, VPN routers must be able to support multiple site-to-site VPN within its organization, but also support site-to-site VPN with partner networks.
Let us take a simple scenarios where one secure gateway is securing 10.1.5.0/24 network. It is expected to securely connect to its head office VPN router which is securing 10.1.6.0/24 network. Let us also say that this router is expected to secure traffic to/from two machines on its local network (say 10.1.5.5 and 10.1.5.6) with three partner machines in partner network. For this purpose, let us say that two public IP addresses are allocated for the local security gateway - 22.214.171.124 and 126.96.36.199. Let us also say that partner provided IP address to connect to the partner machines - 188.8.131.52, 184.108.40.206 and 220.127.116.11.
On the security gateway, following NAT rules are required:
- Source Range: 10.1.5.5 - 10.1.5.6, Destination Range: 18.104.22.168-22.214.171.124, Apply Source One-to-One NAT with 126.96.36.199 - 188.8.131.52 : This rule does source NAT on the connections that are originated from local network identified by source. It replaces source IP of the packet it is receiving from local network if it matches with 10.1.5.5-10.1.5.6 range and if destination IP is in the range of 184.108.40.206 - 220.127.116.11. NAT IP address are given as 18.104.22.168 - 22.214.171.124. Since it is One-to-One NAT, it replaces 10.1.5.5 with 126.96.36.199 and 10.1.5.6 with 188.8.131.52.
- Source Range: 184.108.40.206 - 220.127.116.11, Destination Range: 18.104.22.168 - 22.214.171.124, Apply Destination One-to-One NAT with 10.1.5.5 - 10.1.5.6: This rule is applied for connections that are originated by partner network. It translated destination IP so that the connections land at the right machines in local network.
- Branch office VPN rule: Source: 10.1.5.0/24 Destination 10.1.6.0/24 Apply Security (Algorithms and proposals are not shown here).
- Partner Office VPN rule: Source : 126.96.36.199-188.8.131.52 Destination : 184.108.40.206 - 220.127.116.11, Apply Security.