How to make VPN Clients connect to a Safepipe located behind a NAT router

Introduction

This guide describes how you make it possible for VPN Clients to establish a tunnel connection to a Safepipe when the Safepipe is placed behind a router with NAT (Network Address Translation).

Eicon VPN Clients get information about which IP address they should connect to from their configuration token files. When there is a NAT router placed in front of the Safepipe, it is important that the token files tell the VPN Clients to connect not to Safepipe's public IP address, as they would normally do, but to the public IP address of the NAT router. Only when VPN Clients connect to the external IP address of the NAT router can their connection reach the Safepipe.

This means that token file creation on the Safepipe must take place before the necessary NAT rules are defined on the NAT router. Otherwise, the token files will tell VPN Clients to connect to Safepipe using a NATed (hidden) internal IP address which they will not be able to reach.

Note: If you have previously configured token files on Safepipe (without a NAT router involved), VPN Clients using these token files will no longer be able to connect after you introduce the NAT router. In that case, you should change the configuration of Safepipe's public interface and configure new token files for your VPN Clients as described in this guide.

The procedure will take you through the following steps:

1. Provisionally configuring Safepipe's public interface with the public IP address of the NAT router.
2. Creating token files for the VPN Clients.
3. Configuring the NAT rules on the NAT router.
4. Changing Safepipe's public interface IP address to the NATed IP address.

In the procedure, we employ the following scenario:

Remember to substitute the IP addresses used in the examples with the appropriate numbers for your network.

Prerequisites

• Safepipe must be installed and have a connection to the Internet.

• You must have configured the public IP address of the NAT router.

• The NAT router must be configured to enable ICMP access.
  
  This is because VPN Clients first try to connect using PING.

• The NAT router must be configured to enable access through the following ports:
  • UDP port 500, type 50 ESP and 51 AH
  • UDP port 30295
  • UDP port 30296
    
    

• The ports on the NAT router should be masqueraded.
  
  Do not use port forwarding. If port forwarding is used, the IPSec check sum is changed due to the modification of the data packet, and it will not be possible to set up the tunnel.

Procedure

1. Open the browser-based management interface of Safepipe. Click 'Network' > 'IP'.
   
        

2. Provisionally configure Safepipe's public (Ethernet 2) interface with the NAT router's public IP address.
   Enter the public IP address of the NAT router in the 'IP Address' field and its subnet mask in the 'Subnet mask' field. Enter the NAT router's private IP address in the 'Gateway IP' field.
   
   Note: Users of Safepipe with software version 2.3 or newer should also select 'Static IP' from the 'Connection' drop-down menu.
   

   Safepipe release 2.3 or newer		Safepipe release 2.2 or older

   
   
   

3. Click the 'Apply Changes' button.
   
   

4. Create the token files for the VPN Clients. Create as many as you think you are possibly going to need; that way you will not have to change Safepipe's public IP address again each time you need a new token for a VPN Client.
   
   For more information about creating token files on Safepipe, refer to the guide How to configure Safepipe for VPN Client connections (steps 2 - 15).

5. Configure the necessary NAT rules on the NAT router.
   
   You may consult your router's documentation for guidance.

6. Back on Safepipe's management interface, click 'Network' > 'IP'.
   
        

7. Change the configuration of Safepipe's public (Ethernet 2) interface to the NATed IP address (the hidden internal IP address to which the NAT router routes incoming traffic to Safepipe). In our scenario the NATed IP address would be 10.1.1.21.
   Enter Safepipe's NATed IP address in the 'IP Address' field and its subnet mask in the 'Subnet mask' field. Keep the NAT router's private IP address in the 'Gateway IP' field.
   
   Note: Users of Safepipe with software version 2.3 or newer should also select 'Static IP' from the 'Connection' drop-down menu.

   Safepipe release 2.3 or newer		Safepipe release 2.2 or older

   
   
   

8. Click the 'Apply Changes' button.
   
   

9. Make sure users' VPN Clients are configured with tokens files that have been created as described in this guide
   
   For guidance about configuration of users' VPN Clients, please see How to install and configure Eicon VPN Client.

Now, when a VPN Client attempts to make a connection, it will contact the public IP address of the NAT router. The NAT router will then NAT to the internal IP address used for Safepipe's public interface, and the VPN Client will be able to connect to Safepipe.