Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to NAT to avoid IP conflict when using VPN?

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 926 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      buomque
      last edited by

      Hi guys,

      I have set up VPN for 3 locations:

      Location #1: VPN server
      Location #2: networks 192.168.25.0/24      (only 5 servers at this location 192.168.25.2-6)
      Location #3: networks 192.168.25.0/24      (only 10 servers at this location 192.168.25.100-109)

      I cannot change IP for any server. Is there a way to NAT all 5 IP in location#2, so that my VPN server can access all 15 servers at location#2 and location#3?

      Thanks,

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        NAT must be done at location 2 or location 3.

        If the colliding subnet was on your side, you could do it, but it would require them to change the IPsec on their end.

        You can try a phase 2 to location 2 with a remote network of 192.168.25.0/29 and a phase 2 at location 3 of 192.168.25.96/28.

        But if the other side initiates and attempts to establish a P2 for the /24 it will fail. If you initiate and the other side is configured for /24 it might accept it and it might not. If you can get them to change the phase 2 settings to match those netmasks it should work just fine.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          buomque
          last edited by

          Hi Derelict,

          As I add more location to VPN, I find location 4 and location 5 are both using 192.168.214.0/24 block. Each location has a lot of servers using this IP block. Is there a way to NAT the whole IP block in location 4 to a new IP block, one-to-one IP NAT (for example 192.168.214.99 <–> 10.10.7.99)? The objective is to be able to reach each server at both locations.

          Thank you,

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            That's pretty unlucky.

            Yes, but the NAT has to be done at that location. For them to talk to each other it has to be done at both locations.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.