On your Site 1 internet router/firewall, NAT the following ports to your VPN firewall’s External IP address
Note: To setup a proper IPSEC VPN on a firewall that is behind an internet facing router/firewall, your IPSEC VPN firewall must be assigned an internal IP address. The above example shows the IPSEC VPN firewall as 192.168.254.100.
This is the IP subnet that is hosted by the internet router/firewall. 192.168.254.100 is what the External interface of the IPSEC VPN firewall is assigned. Its internal subnet must be on a different subnet. This example will use 172.29.0.0/24
The IPSEC VPN tunnel configuration is exactly identical as if the device was the internet facing device.
In the VPN tunnel configuration, setup your local gateway to what the internet facing device (External) IP address is assigned.
On the remote IPSEC VPN tunnel, configure its remote IP address to the same IP address that is assigned to the above local gateway.
Site 1 (Home) Site 2 (Business)
Local GW: 126.96.36.199 Local GW: 188.8.131.52
Remote GW: 184.108.40.206 Remote GW: 220.127.116.11
Internal: 172.29.0.0/24 Internal: 192.168.1.0/24
Remote: 192.168.1.0/24 Remote: 172.29.0.0/24