NAT across a vpn tunnel

Hi, I’m looking for a virtual firewall to take the place of the native AWS vpn functionality.

The reason I’m looking for this is that AWS vpns don’t allow NAT and our customer is using the same network ranges as ourself.

What I would like is for the customer to connect to a range of IP addresses that we offer through the vpn, the traffic to arrive and then get translated to the actual addresses of the AWS instances with the responses appearing to come from the NAT addresses.

I’m new to ipfire and I’d like to know if this is possible before jumping in.

It would always be the best to rename your address space. Any chance doing that?

NAT is possible here, but it is not fun and creates a thousand other issues.

Development types say no to re-iping the AWS side.

What kind of issues does it create?

The list of issues is long, but here is the - in my opinion - the most important one:

  • It is confusing. Although not a technical issue, this is causing chaos in your documentation which you now cannot share with the other side and you will just end up with loads of configuration issues - which will be security issues in the end.
  • You will have to translate addresses twice. Once when you send packets and once when they come back in. That causes some you see them with different IP addresses in different stages of the firewall engine. Maybe this goes back to reason number one, but there is too many chances to get it wrong.

Since I do not know much about your environment (size, how long would it take and how else is being affected) I cannot really tell you to change it. But if there is any chance, then do it. Otherwise I can recommend that you contact me through Lightning Wire Labs and I can help you to configuring this on the console with IPFire and setting up the rest of the VPN.

Thank you MS, I can handle the confusion, I have experience of handling NAT across tunnels with other firewalls.

Chances are NAT is the last thing that happens outbound and first thing that happens inbound. I’ll work on that assumption.

That is unfortunately not true.

Bugger, could you point me at some documentation detailing how it does work?

I do not think that this documentation exists for IPFire, but I have done it before.