Vpn – Is it possible to setup IPsec behind NAT without port forwarding

ipsecnetworkingpfsense-2vpn

We want to setup a IPsec connection between customer sites and our office so we can manage the hardware we place at customer sites (e.g. barriers). Its important that the VPN connection stays up all time.

We prefer to do this by placing a piece of IPsec supporting hardware (probably a router, already available in most cases) inside the customers network. The devices we need to manage for our customers will be placed behind this router. The router should setup a IPsec connection to our office.

Unfortunately we have not always control over the customers network so we are not always able to forward ports. Also not all customers are cooperative in terms of port forwarding.

Is it possible to configure IPsec so that it can operate without port forwarding at the customer side? (like OpenVPN does for example)

At our office we are using pfSense as IPsec server, at the customer site are in many cases already Edgerouter X devices available. In new installation we can also use other hardware even when i think that the solution is more in the configuration of IPsec when its even possible.

Network sketch:

Best Answer

Yes, that is possible. You need to use NAT traversal mode (NAT-T), and the connection can only be initiated by the device behind NAT (ie. the connection must be made towards the node reachable from the public network). Note that NAT-T uses UDP port 4500 instead of 500 to connect.

Related Solutions

VPN’s in cloud hosting/dedicated server environments, IPSec tunnels vs tinc

Not sure about tinc but IPSEC is almost mandatory. No serious business would trust PPTP.

Not sure how IPSEC affects routing. A tunnel is a tunnel is a tunnel regardless of the encryption. You'll be running into the same issues re: split tunnel or not, getting customers to understand the concept / oh look a particular customer's LAN IP clashes with the VPN pool you've picked, etc.

Sounds like you're aiming at SME market (individual servers, direct login etc.) so that rules out more sophisticated solutions, but I'll list two possible approaches anyway

some kind of VPN concentrator that allows profiles. All customers login to VPN concentrator then depending on their profile/group/whatever vendor teminology, get permissions to use protocol X to IP Y (ie their own server).
Cisco ASR1000V virtual routers - each customer gets one, you can then run direct IPSEC tunnels (with VTIs so makes routing appear easy) or even direct MPLS back to the customers so the router appears as just another branch in their topology, then allocate your VNICs VLANs etc. on the inside so they get a nice virtual 'branch'.
a smaller scale version of the above, we've used monowall to great effect for this purpose (i.e. each customer gets a layer 3 virtual device that acts as a router/firewall, they VPN into this device and get access to their VLANs only), however then each router/firewall needs their own public IP address.

Re: your current approach, you do realise then each server needs a public IP or you have a complicated and convoluted system of NATs where each customer's VPN path gets allocated a single port or similar.

I'd recommend getting a full time networker in to look over any design / proposal you have, it sounds like you're coming at it from a server background.

Cisco – Using a Cisco router as an L2TP client

Sure, it's certainly possible. Basically, you'll need to setup a crypto map to catch and encrypt the L2TP traffic. The psuedowire\L2TP config can be attached to a Virtual-PPP interface. Here's a config snippet that should get you going.

! Basic ISAKMP\IPSec configuration, tweak as needed. 
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 4000
!
crypto isakmp key *preshared key* address 1.2.3.4
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!
! Crypto map that will catch our L2TP Traffic defined in the L2TP_TRAFFIC ACL.
!
crypto map L2TP_VPN 10 ipsec-isakmp
 set peer 1.2.3.4
 set transform-set ESP-AES256-SHA1
 match address L2TP_TRAFFIC
!
! Match the L2TP traffic.
!
ip access-list extended L2TP_TRAFFIC
 permit udp host *Outbound IP* eq 1701 host 1.2.3.4 eq 1701
!
! Apply the crypto map to the outbound\internet facing interface. 
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 crypto map L2TP_VPN
!
! Define the psuedowire class that will speak L2TP and the source interface. 
!
pseudowire-class L2TP_PW
 encapsulation l2tpv2
 ip local interface FastEthernet0/0
!
! Create Virtual-PPP interface to bind the psuedowire class to. 
!
interface Virtual-PPP1
 description L2TP Tunnel
 ip address negotiated
 ppp chap hostname *User Name*
 ppp chap password *Password*
 ppp ipcp address accept
 pseudowire 1.2.3.4 1 pw-class L2TP_PW

You'll also need to add in relevant NAT and\or routing for your scenario.

Related Topic

Cisco ipsec tunnel with nat to aws customer gateway