How Do I Hide the True Source IP Address of Incoming IPSec Traffic?

How do you "change or hide" the true source IP address of incoming IPSec Traffic that is decrypted on the NetScreen/SSG/ISG device?

This article applies to ScreenOS 5.0 and higher.

One way to hide the true source-IP address in an IPSec VPN tunnel is by using inbound NAT.  This is where the destination IP will see the traffic coming from the interface IP address.

If you are using Route-Based VPN, you will need to use a tunnel interface. You will have to bind it to a different zone (Untrust) than where the private network exists (trust, DMZ, etc.). Configure an incoming policy from Untrust zone to the internal zone and then enable inbound NAT on the interface. If you plan to use a tunnel interface with a DIP pool, you will have to make the tunnel interface numbered so that a DIP/MIP can be created for this tunnel interface.

There are two ways to hide the true source IP address of incoming IPSec traffic:

• Create a DIP Pool: You can define a DIP pool on this interface so that that the incoming source IP address will assume one of these IP addresses, whichever is first available. You will select this DIP pool when you turn on NAT on the inbound access policy.
• Turn on NAT on the inbound policy: This will translate the source IP address to the trust interface IP address. An added advantage to using this method is that you will not have to add additional return routes in order for this packet to return back to the NetScreen device. Since the source IP address has now become the trusted interface IP address, internal routers and hosts that point to the NetScreen trusted interface as the default gateway will insure that replies for this translated packet gets returned back to the NetScreen device appropriately.

To hide the true source IP address of incoming IPSec traffic, perform the following steps:

Open the WebUI. For more information on accessing the WebUI, go to Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI.

From the WebUI, click Policies.

From the VPN policy that you want to hide the true source IP address of incoming IPSec traffic, click Edit.

Click Advanced.

Under Advanced Policy Settings, click to select Source Translation.

Click OK.

You always need an access policy if the traffic traverses between two zones. If the tunnel interface is bound to the same zone as from traffic initiates for the VPN tunnel, then you will not need a policy.