Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two remote sites with the same subnet - Hmmm!?!?!?

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gob
      last edited by

      Hi
      I have a problem connecting an ipsec tunnel to a new clients server network.
      We are developing applications for the client but their server network is on the same subnet as our own remote datacenter.
      Our own network is 192.168.4.0/24 and both our datacenter and the clients site is 192.168.250.0/24

      Obviously I can't set up two tunnels to the same remote subnet so I need to come up with something more creative as the client will not change their IP range and changing our datacenter's IP range doesn't bear thinking about.

      Possibly my saving grace is that the servers we need access to at our datacenter are all within the range 192.168.250.1 to 192.168.250.31 and the two servers that we need access to on our clients site are specifically 192.168.250.62 and 192.168.250.97

      I can set a reduced subnet on our datacenter IPSEC tunnel of 192.168.250.0/27 which covers off all of the servers there up to .31 but is it possible to address the client's servers on .62 and .97 using just one additional tunnel?

      Is there an alternative method I could use perhaps utilising NAT?

      Any suggestions appreciated.

      thanks

      If I fix one more thing than I break in a day, it's a good day!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Can't do that with IPsec, you would have to do NAT and that isn't feasible with IPsec (without using a separate VM or box just to do NAT and the existing firewall for IPsec, that may be your best bet). You can use NAT with OpenVPN.

        1 Reply Last reply Reply Quote 0
        • G
          Gob
          last edited by

          Ok, thanks Chris.
          If I was to upgrade our end to Pfs v.2, could I use 2 x phase 2  configurations on the client tunnel going to a /32 subnet for each of the servers?

          If I fix one more thing than I break in a day, it's a good day!

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            No because the requests to an IP within the same subnet will never go to the firewall so will never cross the VPN.

            1 Reply Last reply Reply Quote 0
            • G
              Gob
              last edited by

              I think I may have been unclear with my explaination. Here's an image to show the requirements:

              The Developers on Site A need to access the Servers at Site B and Site C, but Sites B and C do not need to communicate with each over. So all tunnels are between a 192.168.4.xxx and 192.168.250.xxx network

              If I upgrade the Firewall at Site A to pfSense V2 and add two Phase 2 configurations to the IPSEC tunnel as in the diagram will that work?

              Cheers
              Gordon

              ipsec.jpg
              ipsec.jpg_thumb

              If I fix one more thing than I break in a day, it's a good day!

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                Oh in that case if you only need to get from site A to site B and site A to site C, and you can setup your IPsec as such that it looks to your firewall that they're two different subnets, that will work. It may also work with a /24 on one of them and a smaller subnet on the other, only if the other one comes first. That could lead to unpredictable results though, I wouldn't recommend it.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.