Using a NAT address for a VPN endpoint

VPN traffic is protected against modifications, so there are some restrictions when NAT is applied to the encrypted traffic.

If a gateway does not have a public IP address as a VPN endpoint, you might need to configure NAT traversal.

You might also need to configure the policy-based VPN with contact addresses so that the gateways are aware of the NAT operation:
  • Firewalls that are used as VPN Gateways in a NAT environment must have Locations and Contact Addresses defined for the endpoint interfaces involved. On Firewall Clusters, CVIs must have Locations and Contact Addresses defined. If Contact Addresses have already been configured for non-VPN use, the same general configuration applies to VPN communications as well. The Stonesoft VPN Client downloads its configuration from the gateway, including any contact address configuration as needed.
  • Usually, External VPN Gateways must be defined using their private IP addresses. The public IP address must be added as the Contact Address for the Location of the contacting Forcepoint NGFW in the Firewall/VPN role.