How to make IPSEC over double NAT?

Question

I need to have a site to site VPN between two sites.

Here is the following topology for each site:

Site A: One Cisco 1921 WAN port (192.168.3.2) connected to ISP router (192.168.3.66), both the Cisco 1921 and the ISP's router are doing NAT Overload.
Site B: One Cisco 1921 WAN port (192.168.2.2) connected to the ISP router (192.168.2.66), both the Cisco 1921 and the ISP's router are doing NAT Overload.

From the above topology it is clear that I do not have control over the ISP router to do port forwarding.

How can I successfully configure a Site-to-Site IPSec tunnel between the two routers?

I am not asking about "How to do the VPN in Cisco IOS", I know how to do it. But I am wondering, how is it possible to make a VPN tunnel over such double NATing considering that port forwarding is not possible on the ISP router?

No they do not, does this mean there is no way to have site to site over such topology ?? — Moh'ed A-Nasir Dhagajuun, Apr 29 '17 at 05:41
In your case I would simply ignore the ciscos, and I would use an intermediate server (with a static IP) to bind them together by a VPN. I would use OpenVPN for that. — peterh, Apr 30 '17 at 14:18
Did any answer help you? if so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you could post and accept your own answer. — Ron Maupin, Jan 04 '21 at 01:06

score 3 · Answer 1 · answered May 26 '17 at 07:44

If you can't forward port on any of the two sites, you cannot establish a VPN directly between the two sites.

You could establish a VPN from each site to a third one, and route accordingly (as suggested in comment by @peterh).

Personally I would try to work with the ISP to have a solution, and if the ISP cant / doesn't want to help, change the ISP.

score 2 · Answer 2 · answered May 26 '17 at 07:40

2

To allow IPSEC tunnel between two sites behind NAT you should have at least one site with NATted udp/500 and udp/4500 from outside to inside.

answered May 26 '17 at 07:40

Andrey Prokhorov

2,774
11
27

score 1 · Answer 3 · answered May 26 '17 at 14:40

Without port/protocol forwarding there's no way to connect into either site.

Get yourself an external server with a static address, connect VPNs out from both sites and tie the tunnels together on the external server.

Additonally, if your ISP routers don't support IPsec traversal you'll be better off with SSL VPN. As peterh suggested, OpenVPN might be a good choice.

Alternatively, get your ISP to route your sites with at least one static address without NAT.

score 1 · Answer 4 · answered May 27 '17 at 05:33

A static IP for at least one side is advised; however, DDNS will work for this,(if both sides are assigned dynamic addresses and NAT Overloaded), while both routers have fqdn's assigned for dynamic tracking of peer:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/118048-technote-ipsec-00.html .

If DDNS is not leveraged, one side will require to have a public static IP in order to provide a peer IP Address for the remote dynamic peer to initiate interesting traffic. I recommend strongly in getting real time support from Cisco TAC on this configuration and the requirements.

How to make IPSEC over double NAT?

4 Answers4