IPSec VPN LAN-LAN (Site-Site) for site with dynamic gray IP behind NAT



Reaction score: 10
Messages: 44

There is a case:
- HQ with fixed white IP
- Site with dynamic gray IP behind NAT (!!!)
Need to setup IPSec VNP LAN-LAN to connect site to HQ.
I've tried Racoon and succeded with establishing IPSec connection, but LAN-LAN connection wasn't established.
The same with StrongSwan - I can see the IPSec tunel connection established, but it has no IPs, etc.
Is there any mans, how-to, whatever to solve the case?

The solutions with PPTP and L2TP/IPSec worked properly (with MPD5 + IPSec/Racoon) until provider had blocked PPTP and L2TP (on site side).

Thanks for any help.


Active Member

Reaction score: 68
Messages: 211

I would use StronSwan to protect a GRE or IPIP tunnel with IPsec in transport mode and NAT-T as required. Use a leftupdown script to move the tunnel endpoints and a firewall (IPFW or PF) to prevent traffic leaks.