Ipsec - Overlapping Private Networks

system · March 22, 2014, 6:07pm

Hello ,
It is possible to setup an IPsec tunnel between two vyos routers with overlapping private networks ? My network setup is :

Site A
LAN 192.168.1.0/24
WAN 86.xxx.xxx.xxx/27

Site B
LAN 192.168.1.0/24
WAN 86.xxx.xxx.xxx/27

Any hint ?

Thank You !

system · March 22, 2014, 9:16pm

How would the router know to distinguish the traffic for one vpn from the other when the same ip range is used ?

I don’t think that is possible.

But I still learn every day

carl.byington · March 22, 2014, 11:10pm

More specifically, consider how a host (machine1) at site A with address 192.168.1.10 tries to talk to a host (machine2) with address 192.168.1.20. Machine1 knows that it is using /24 for the subnet, and therefore it can arp for the mac address of machine2. That arp and reply won’t even be processed by the router at site A.

You might be able to hack something up with /32 host routes installed on each machine at site A that need to talk to machines at site B, pointing them to the site A router, but I doubt that would work, and in any case it would not scale well.

Rather than renumbering one of the sites on ipv4, consider adding non-overlapping ipv6 addresses to both sites. Then communicate between the sites on ipv6, over a tunnel if necessary. If you don’t have native ipv6 from your provider(s), I would get free ipv6 tunnels from tunnelbroker.net.

system · March 23, 2014, 9:33am

Unfortunately I can not change the lan ip.

I also try to use “Mapping of Address Ranges” to make the IP space unique, and then send the traffic via IPSec. This scenario was functional in an earlier version of Vyatta

[php]show nat source
rule 10 {
destination {
address 192.168.20.0/24
}
outbound-interface eth0
source {
address 192.168.1.0/24
}
translation {
address 192.168.30.0/24
}
}
[/php]
[php] show nat destination rule 1
destination {
address 192.168.30.0/24
}
inbound-interface eth0
source {
address 192.168.20.0/24
}
translation {
address 192.168.1.0/24
}
[/php]

[php] show vpn ipsec site-to-site
local-address 86.xxx.xxx.xxx
tunnel 1 {
esp-group net
local {
prefix 192.168.30.0/24
}
remote {
prefix 192.168.20.0/24
[/php]

system · August 12, 2014, 1:22am

marchand,

That config should work with VyOS, I have that exact config concept on VyOS 1.0.2 running in an Amazon VPC.

If you happen to be running VyOS on an Amazon EC2 instance be sure you disable “Source/Dest. Check”