NBM 3.7 without NAT
This section details some of the NAT related VPN services deployment scenarios.
Use only Static NAT and ensure that it is on a separate box than the VPN master or slave.
Figure 5
NBM 3.7 without NAT
Figure 6
NBM 3.8 VPN with NAT
If you have any NBM 3.7 server in the network, you need to first upgrade all the NBM 3.7 servers to NBM 3.8 servers.
After that, configure the NBM 3.8 servers and ensure that they are working properly.
Configure the Static NAT and put the NBM 3.8 servers behind the NAT boxes.
You should always keep the NAT and VPN on separate machines.
Before configuring the VPN services on the NBM 3.8 machine, ensure that Static NAT is working.
Configure the VPN services on the NBM 3.8 machine with the public IP address on which the VPN service is to run.
You should have the NBM 3.8 as the VPN master server. If you are moving a server behind NAT make sure either any of the other master servers in the VPN network is upgraded to NBM 3.8, or move a VPN slave server behind NAT. Moving the VPN master server behind NAT has no issues.
We recommend that the VPN and NAT are on the different machines.
Configure a static NAT server by mapping the secondary IP address of the NAT server to the VPN server private IP address.
In the VPN server set the default route as the NAT server's private interface.
Reconfigure the VPN server configuration with the secondary IP address of the NAT server.
Ping the secondary IP address from the public machine. The traffic should get diverted to the VPN server.
If the VPN server moved is a VPN master server you need to create new keys by using vpncfg and should add other VPN members to this master server.