Connecting IPSEC subnets w/same IP range internally



  • Sorry, but I have read somewhere in multiple posts about networks that can not be connected if they have the same internal subnets / ip ranges using IPSEC.  So if I had to connect two separate distinct networks, and their ip ranges are the same (i.e. 192.168.1.x), that it would not work.

    #1 Is this true, if so, what is the solution to this asides from Cisco?
    #2 Will this be fixed in future pfSense - which version if known?
    #3 What is the terminology solution - what is called?

    Thank you.


  • Rebel Alliance Developer Netgate

    Someone had posted a bounty for NAT over IPSec, the post is still there in the Bounty Forum on this site. I'm not sure this actually has a distinct name, but some people call it "NAT over IPSec", "Policy NAT for IPSec", etc. This functionality does not currently exist in pfSense, though with enough interest (and perhaps bounty money) it could be added.

    Basically what you need to do is NAT before the traffic enters the tunnel, and/or after it leaves, like so:

    Site A: 192.168.1.x <1:1 NAT> 10.0.1.x <–- IPSec ---> 10.0.2.x <1:1 NAT> 192.168.1.x :Site B

    Site B uses the 10.0.1.x addresses to talk to Site A, and Site A uses the 10.0.2.x addresses to talk to site B. It will appear to each side and though the other end does not, in fact, share its same subnet.

    If only one-way communications will be initiated, you only need to do NAT on the far side, so when you try to talk to the address your system will know to send it to the tunnel and not try to reach it locally.

    Some have had success with bridging networks via OpenVPN, so both sides can have addresses in the same subnet, but I believe in that case they still can't conflict, just use separate areas of the same larger subnet. Someone else more familiar with this OpenVPN tactic may be of greater help in this area.


Log in to reply