NAT and IPsec - Application sequence

To my surprise, after so many years of IPsec deployments,  I keep hearing questions related to NAT and IPsec.  It appears that there is some confusion still on the sequence of operations between NAT and IPsec. That is why I thought I will write a blob on this subject.

Before going further into the technical aspects, it is good to introduce two scenarios.

• Branch Office VPN :  This term is typically used to connect offices of an organization over public Internet with IPsec VPN security.
• Partner VPN :  This term is typically used to connect some part of network or machine(s) with partner network securely using IPsec VPN.

If IPsec VPN is being used to secure networks of different offices of same organization, one can assume that the private IP addresses of different networks are unique within the organization.  Hence IPsec VPN can be applied on the private networks of offices.

While connecting with Partners,  one can't assume that the private networks of partners are unique. It is very much possible that both the networks might have same private IP address networks.  Hence the IPsec VPN must always happen with public IP addresses.  In this case, typically source NAT is applied before IPsec VPN is applied on the packet.  Source NAT translated the local network IP addresses to public IP address and the IPsec sessions negotiated with public IP addresses.

Note that it is also possible that a given a branch office VPN router, not only used to connect to the other offices of the organization, nut also connect partner networks. So, VPN routers must be able to support multiple site-to-site VPN within its organization, but also support site-to-site VPN with partner networks.

Let us take a simple scenarios where one secure gateway  is securing 10.1.5.0/24 network. It is expected to securely connect to its head office VPN router which is securing 10.1.6.0/24 network. Let us also say that  this router is expected to secure traffic to/from two machines on its local network (say 10.1.5.5 and 10.1.5.6) with three partner machines in partner network.  For this purpose, let us say that two public IP addresses are allocated for the local security gateway -  190.1.2.2 and 190.1.2.3.   Let us also say that partner provided IP address to connect to the partner machines -  191.1.2.2,  191.1.3.3 and 191.1.2.4.

On the security gateway, following NAT rules are required:

• Source Range:  10.1.5.5 - 10.1.5.6,  Destination Range:  191.1.2.2-192.1.2.4,  Apply Source One-to-One NAT with 190.1.2.2 - 190.1.2.3 :   This rule does source NAT  on the connections that are originated from local network identified by source. It replaces source IP of the packet it is receiving from local network if it matches with 10.1.5.5-10.1.5.6 range and if destination IP is in the range of  191.1.2.2 - 192.1.2.4.  NAT IP address are given as 190.1.2.2 - 190.1.2.3.  Since it is One-to-One NAT,  it replaces 10.1.5.5 with 190.1.2.2 and 10.1.5.6 with 190.1.2.3.
• Source Range:  191.1.2.2 - 192.1.2.4, Destination Range:  190.1.2.2 - 190.1.2.3, Apply Destination One-to-One NAT with 10.1.5.5 - 10.1.5.6:  This rule is applied for connections that are originated by partner network.  It translated destination IP so that the connections land at the right machines in local network.

IPsec policy rules would look like this:

•  Branch office VPN rule:  Source:  10.1.5.0/24  Destination 10.1.6.0/24 Apply Security (Algorithms and proposals are not shown here).
•  Partner Office VPN rule:   Source :  190.1.2.2-190.1.2.3  Destination :  191.1.2.2 - 192.1.2.4, Apply Security. 

I hope I could make it clear on how NAT and IPsec can be used to connect with partner network. Note that private IP addresses can be used to talk to partner network too as long as administrators of both organizations ensure that there are no duplicate private IP addresses in their networks that need communication.