IPsec VPN - P2 does not come up
-
Hi all,
I have been trying to setup an IPsec VPN lately. The topology is:
Left subnets:
192.168.20.0/24 and 192.168.30.0/24
both of them are NATted behind the 172.16.80.0/24 subnet (remote side cannot have any 192.168.X.X networks in its encryption domain)
Right subnets:
10.0.5.55/32 and 172.16.0.0/16
P1 comes up with no issues. I have created 4 different P2, but only two of them come up.
192.168.20.0 <--> 10.0.5.55
192.168.20.0 <--> 172.16.0.0/16
The other two P2 are identical, with only difference being the left subnet (192.168.30.0 instead of 192.168.20.0) but it does not work.
Any suggestion?
Thank you! -
@alext88gr said in IPsec VPN - P2 does not come up:
both of them are NATted behind the 172.16.80.0/24 subnet (remote side cannot have any 192.168.X.X networks in its encryption domain)
Right subnets:
10.0.5.55/32 and 172.16.0.0/16So the remote sites subnet is overlapping your NATted subnet.
-
@viragomann thank you for your response.
So, I need to NAT the 192.168.30.0 subnet to a subnet other than the 172.16.80.0/24? -
@alext88gr
172.16.80.0/24 cannot work, because that is occupied by teh remote site.Which to use, depends on what the remote site is accepting, since you wrote
192.168.20.0/24 and 192.168.30.0/24
both of them are NATted behind the 172.16.80.0/24 subnet (remote side cannot have any 192.168.X.X networks in its encryption domain)I assume, it is restricted.
On the remote site the NAT subnet has to be set as remote network.
-
@viragomann maybe I did not write it correctly. I perform the NAT in my side (in the field NAT/BINAT translation). The subnet 172.16.80.0/24 has been agreed with the remote side and they have added it in their encryption domain.
So, if I understand well, I should agree with them another subnet to NAT the 192.168.30.0/24 subnet? -
@alext88gr said in IPsec VPN - P2 does not come up:
The subnet 172.16.80.0/24 has been agreed with the remote side and they have added it in their encryption domain.
I see. If they did that they must be idiots.
There is no way to route it over the VPN is it is overlapping with their own local subnet (172.16.0.0/16).Also you have two /24 subnets on your site, so why do you nat them into a single /24. This way IPSec can only use random IPs for your local IPs.
I would nat them into two /24 (needs two p2 on each site).
E.g.
192.168.20.0/24 > 172.17.80.0/24
192.168.30.0/24 > 172.17.81.0/24 -
@viragomann thank's again! I will try it asap and come back with the results!