Two remote sites with the same subnet - Hmmm!?!?!?
-
Hi
I have a problem connecting an ipsec tunnel to a new clients server network.
We are developing applications for the client but their server network is on the same subnet as our own remote datacenter.
Our own network is 192.168.4.0/24 and both our datacenter and the clients site is 192.168.250.0/24Obviously I can't set up two tunnels to the same remote subnet so I need to come up with something more creative as the client will not change their IP range and changing our datacenter's IP range doesn't bear thinking about.
Possibly my saving grace is that the servers we need access to at our datacenter are all within the range 192.168.250.1 to 192.168.250.31 and the two servers that we need access to on our clients site are specifically 192.168.250.62 and 192.168.250.97
I can set a reduced subnet on our datacenter IPSEC tunnel of 192.168.250.0/27 which covers off all of the servers there up to .31 but is it possible to address the client's servers on .62 and .97 using just one additional tunnel?
Is there an alternative method I could use perhaps utilising NAT?
Any suggestions appreciated.
thanks
-
Can't do that with IPsec, you would have to do NAT and that isn't feasible with IPsec (without using a separate VM or box just to do NAT and the existing firewall for IPsec, that may be your best bet). You can use NAT with OpenVPN.
-
Ok, thanks Chris.
If I was to upgrade our end to Pfs v.2, could I use 2 x phase 2 configurations on the client tunnel going to a /32 subnet for each of the servers? -
No because the requests to an IP within the same subnet will never go to the firewall so will never cross the VPN.
-
I think I may have been unclear with my explaination. Here's an image to show the requirements:
The Developers on Site A need to access the Servers at Site B and Site C, but Sites B and C do not need to communicate with each over. So all tunnels are between a 192.168.4.xxx and 192.168.250.xxx network
If I upgrade the Firewall at Site A to pfSense V2 and add two Phase 2 configurations to the IPSEC tunnel as in the diagram will that work?
Cheers
Gordon
-
Oh in that case if you only need to get from site A to site B and site A to site C, and you can setup your IPsec as such that it looks to your firewall that they're two different subnets, that will work. It may also work with a /24 on one of them and a smaller subnet on the other, only if the other one comes first. That could lead to unpredictable results though, I wouldn't recommend it.