Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec VPN - P2 does not come up

    IPsec
    2
    7
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alext88gr
      last edited by

      Hi all,
      I have been trying to setup an IPsec VPN lately. The topology is:
      Left subnets:
      192.168.20.0/24 and 192.168.30.0/24
      both of them are NATted behind the 172.16.80.0/24 subnet (remote side cannot have any 192.168.X.X networks in its encryption domain)
      Right subnets:
      10.0.5.55/32 and 172.16.0.0/16
      P1 comes up with no issues. I have created 4 different P2, but only two of them come up.
      192.168.20.0 <--> 10.0.5.55
      192.168.20.0 <--> 172.16.0.0/16
      The other two P2 are identical, with only difference being the left subnet (192.168.30.0 instead of 192.168.20.0) but it does not work.
      Any suggestion?
      Thank you!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @alext88gr
        last edited by

        @alext88gr said in IPsec VPN - P2 does not come up:

        both of them are NATted behind the 172.16.80.0/24 subnet (remote side cannot have any 192.168.X.X networks in its encryption domain)
        Right subnets:
        10.0.5.55/32 and 172.16.0.0/16

        So the remote sites subnet is overlapping your NATted subnet.

        A 1 Reply Last reply Reply Quote 1
        • A
          alext88gr @viragomann
          last edited by

          @viragomann thank you for your response.
          So, I need to NAT the 192.168.30.0 subnet to a subnet other than the 172.16.80.0/24?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @alext88gr
            last edited by

            @alext88gr
            172.16.80.0/24 cannot work, because that is occupied by teh remote site.

            Which to use, depends on what the remote site is accepting, since you wrote

            192.168.20.0/24 and 192.168.30.0/24
            both of them are NATted behind the 172.16.80.0/24 subnet (remote side cannot have any 192.168.X.X networks in its encryption domain)

            I assume, it is restricted.

            On the remote site the NAT subnet has to be set as remote network.

            A 1 Reply Last reply Reply Quote 0
            • A
              alext88gr @viragomann
              last edited by

              @viragomann maybe I did not write it correctly. I perform the NAT in my side (in the field NAT/BINAT translation). The subnet 172.16.80.0/24 has been agreed with the remote side and they have added it in their encryption domain.
              So, if I understand well, I should agree with them another subnet to NAT the 192.168.30.0/24 subnet?

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @alext88gr
                last edited by

                @alext88gr said in IPsec VPN - P2 does not come up:

                The subnet 172.16.80.0/24 has been agreed with the remote side and they have added it in their encryption domain.

                I see. If they did that they must be idiots.
                There is no way to route it over the VPN is it is overlapping with their own local subnet (172.16.0.0/16).

                Also you have two /24 subnets on your site, so why do you nat them into a single /24. This way IPSec can only use random IPs for your local IPs.
                I would nat them into two /24 (needs two p2 on each site).
                E.g.
                192.168.20.0/24 > 172.17.80.0/24
                192.168.30.0/24 > 172.17.81.0/24

                A 1 Reply Last reply Reply Quote 0
                • A
                  alext88gr @viragomann
                  last edited by

                  @viragomann thank's again! I will try it asap and come back with the results!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.