How to NAT to avoid IP conflict when using VPN?

buomque

Hi guys,

I have set up VPN for 3 locations:

Location #1: VPN server
Location #2: networks 192.168.25.0/24      (only 5 servers at this location 192.168.25.2-6)
Location #3: networks 192.168.25.0/24      (only 10 servers at this location 192.168.25.100-109)

I cannot change IP for any server. Is there a way to NAT all 5 IP in location#2, so that my VPN server can access all 15 servers at location#2 and location#3?

Thanks,

Derelict

NAT must be done at location 2 or location 3.

If the colliding subnet was on your side, you could do it, but it would require them to change the IPsec on their end.

You can try a phase 2 to location 2 with a remote network of 192.168.25.0/29 and a phase 2 at location 3 of 192.168.25.96/28.

But if the other side initiates and attempts to establish a P2 for the /24 it will fail. If you initiate and the other side is configured for /24 it might accept it and it might not. If you can get them to change the phase 2 settings to match those netmasks it should work just fine.

buomque

Hi Derelict,

As I add more location to VPN, I find location 4 and location 5 are both using 192.168.214.0/24 block. Each location has a lot of servers using this IP block. Is there a way to NAT the whole IP block in location 4 to a new IP block, one-to-one IP NAT (for example 192.168.214.99 <–> 10.10.7.99)? The objective is to be able to reach each server at both locations.

Thank you,

Derelict

That's pretty unlucky.

Yes, but the NAT has to be done at that location. For them to talk to each other it has to be done at both locations.