Nat Over vpn
Total newbie here, I am trying to setup a site to site vpn with a 3rd party but I need to NAT my side as our LAN network is already in use by another company connected to the 3rd party.
We have successfully established an ipsec connection however there is no traffic as I am stuck on how to setup the NAT.
I tried following the tech help on this subject but that didnt help me https://www.sonicwall.com/es-mx/support/knowledge-base/how-can-i-configure-nat-over-vpn-in-a-site-to-site-vpn/170515155805172/
Can anyone help? I have an NSA 2600
TKWITS Community Legend ✭✭✭✭✭
Create an address object for the subnet you are to use for the VPN NAT(172.26.12.x). In the VPN tunnel properties you enable 'Apply NAT policies', set your local translated as the address object for 172.26.12.x, and remote translated as original.
You do not need to manually create a NAT policy when setting the NAT in the VPN tunnel properties.
Hope that helps.1
Welcome to the SonicWall community.
In your case, I think the NAT is only required on your end and not on the remote side. If the VPN is already up, it means the networks are matching.
I think it would be best to check if you see any traffic on the associated NAT policy and perform packet captures.
Technical Support Advisor, Premier Services
Many thanks, you are correct, the NAT is only required at my end because my current network (172.28.12.0./23) is in use by another company who use 172.28.0.0 /16
We have agreed that my side can be natted to 172.26.12.0/23 but here in lies the issue for me.
I am not sure how to setup the NAT on my NSA2600
Do I create an address group with my current and and translated current?
If so how do i apply that to the VPN policy?
In the Policy window under:
General - Everything agreed with 3rd party and set correctly
Network - Local Network is x0 Subnet - Remote Networks 3rd party network set correctly (10.216.0.0/16)
Proposals - Everything agreed with 3rd party and set correctly
Advanced - 2 things checked - Enable Keep alive and Apply NAT Policies
Under NAT Policies
Local Translated - Is this Address group (172.28.12.0./23+172.26.12.0/23) or Address Object? (172.26.12.0/23)
Remote Translated - Original
Many thanks for your support
JEZ222 you should be using a Local Translated "Address Object" (172.26.12.0/23) not the address group since you've already specified the network as X0 Subnet
Thanks Lior but to create the NAT do I create the group with local and translated network? Thats it?
Now there is an issue with traffic
event="IPsec bad payload length"
local_net=10.210.0.0/16,remote_net=172.26.12.0/23, remote_id=xxx.xxx.xxx.xxx, information="ipsec:bad_payload_len:1",
reason="Received an IPsec packet with a payload length which is not a multiple of the ESP encryption algorithm block size. This could indicate a truncated packet."
The other side I am trying to connect to found an issue....can anyone here advise please?
Verify the Phase 1 and Phase 2 proposal configuration is correct on both sides of the tunnel.
If the issue is on the other side, than it is their issue to figure out.