# IPSec VPN LAN-LAN (Site-Site) for site with dynamic gray IP behind NAT



## Selin (Nov 9, 2017)

Hi
There is a case:
 - HQ with fixed white IP
 - Site with dynamic gray IP behind NAT (!!!)
Need to setup IPSec VNP LAN-LAN to connect site to HQ.
I've tried Racoon and succeded with establishing IPSec connection, but LAN-LAN connection wasn't established.
The same with StrongSwan - I can see the IPSec tunel connection established, but it has no IPs, etc.
Is there any mans, how-to, whatever to solve the case?

The solutions with PPTP and L2TP/IPSec worked properly (with MPD5 + IPSec/Racoon) until provider had blocked PPTP and L2TP (on site side).

Thanks for any help.


----------



## obsigna (Nov 10, 2017)

I maintain IPsec tunnels between a few sites. The VPN nodes are running FreeBSD 11.1-RELEASE and some are behind a NAT. I use security/strongswan for IPsec setup and establishing the tunnels. The sites behind NAT initiate the IPsec connection to those sites with a public IP. I use shared secrets.

strongSwan is quite easy to set up. On each site, three files need to be edited:

*Site A *(the initiator – may be behind NAT)
/usr/local/etc/ipsec.conf

```
conn Example-PSK
   keyexchange = ikev2
   mobike = no

   leftauth = psk
   leftid = ipsec@siteA.example.com
   leftsubnet = 192.168.1.0/24

   rightauth = psk
   rightid = ipsec@siteB.example.com
   right = siteB.example.com
   rightsubnet = 192.168.0.0/24

   auto = start
```
/usr/local/etc/ipsec.secrets

```
: PSK "f9PG04Z2FgxzTmqqKk0cdp7CNM2Mgww"
```
/etc/rc.conf

```
...
strongswan_enable="YES"
...
```

*Site B *(the listener – if behind NAT, then UDP ports 500 and 4500 must be NAT redirected on the gateway)
/usr/local/etc/ipsec.conf

```
conn Example-PSK
   keyexchange = ikev2
   mobike = no

   leftauth = psk
   left = %defaultroute
   leftid = ipsec@siteB.example.com
   leftsubnet = 192.168.0.0/24

   rightauth = psk
   rightid = ipsec@siteA.example.com
   right = %any
   rightsubnet = 192.168.1.0/24

   auto = add
```
/usr/local/etc/ipsec.secrets

```
ipsec@siteA.example.com : PSK "f9PG04Z2FgxzTmqqKk0cdp7CNM2Mgww"
```
/etc/rc.conf

```
...
strongswan_enable="YES"
static_routes="IPsecVPN"
route_IPsecVPN="-net 192.168.1.0/24 192.168.0.1"
...
```
Here 192.168.0.1 is the default router on site B.

There is one obstacle that I needed to address on the initiator sites. On site A when starting up the system, the strongSwan rc script /usr/local/etc/rc.d/strongswan would try to initiate an IPsec connection before DNS is ready. I modified the script on line 6, exchanging # BEFORE: LOGIN by # REQUIRE: LOGIN. Without this change, the remote server could be addressed by its IP only -- the right directive in the respective ipsec.conf(5) file.

Now start strongSwan on site A first – `service strongswan start`, then the same on site B. Provided the firewall settings do not block the tunnels, you can ping the LAN of site A from site B and vice versa.


----------



## Crest (Nov 15, 2017)

I would use StronSwan to protect a GRE or IPIP tunnel with IPsec in transport mode and NAT-T as required. Use a leftupdown script to move the tunnel endpoints and a firewall (IPFW or PF) to prevent traffic leaks.


----------

