In bigger networks, when using VPNs, it might be necessary to mask a source subnet in order to avoid IP-addressing conflicts. This is known as SNAT setup. This tutorial will show you how to configure a USG device in order to complement towards the SNAT setup!
Using this tutorial you are able to “mask” your local subnet or avoid subnet overlapping, when the same subnet is on the remote site of the VPN tunnel. This tutorial requires that you have already set up your IPsec gateway (IPsec Phase1):
- Log in to the unit by entering its IP address and the credentials for an admin account (by default, username is “admin”, password is “1234”)
- Navigate to Configuration > VPN > IPSec > VPN > VPN Connection and add a new VPN Connection using the “Add” button
- Use the “Create new Object” button to create a new object of the “Address Type” “Subnet”. Take care to choose a subnet that is not conflicting with any subnet on yours or the remote site!
- Choose this “fake” subnet as your “Local policy” in the VPN Connection
- Now use the “Create new Object” button to create an object for the remote sites subnet and chose it as your “Remote policy” in the VPN Connection
- Scroll down to the “Inbound/Outbound traffic NAT” section, tick the “Source NAT” checkbox, choose your local subnet as your “Source”, the remote subnet as your “Destination” and the “fake” subnet for the “SNAT”
- Tick the Checkbox “Destination NAT”, click “Add” and choose your “fake” subnet as the “Original IP”, your local subnet for the “Mapped IP” and click “OK”
- Navigate to Configuration > Network > Routing > Policy Route and click “Add”
- Choose your local subnet as the “Source Address”, the remote subnet as the “Destination Address”, under “Next Hop” choose the “Type” “VPN Tunnel” and choose the correct VPN Connection for “VPN Tunnel” before clicking “OK”
After these settings have been applied the remote site would not know your real local subnet, as they are using your “fake” subnet as their remote policy on their site.
Additionally: If there would be the same real subnet on yours and the remote site, routing issues due to the subnet overlapping would be avoided now.