Ipsec with overlapping subnets on 2.0
-
Hi,
Has anyone done ipsec on overlapping networks? it is should be doable since 2.0 supports NAT on ipsec.
Best regards.
-
Actually it doesn't support NAT on ipsec in a usable way. You can't do it on a single router with overlapping subnets, and it gets ugly fast no matter how you try it, since you'd have to NAT in both directions.
-
What if you add another router to the network? It is totally impossible to re-ip either of the networks and i'm looking for a stable solution.
-
The problem is that you have to NAT both ways, or one side will believe it's local and the traffic will never get back into the tunnel.
Side A:
192.168.0.xSide B:
192.168.0.xSide A would have to pick another network to talk to B, so let's say:
192.168.10.x <-> 192.168.0.x (B)That might work OK, but the source IP on the traffic going from A to 192.168.10.x is still going to be 192.168.0.x and the return traffic will think it's local. So you end up having to NAT the other direction as well:
192.168.20.x <-> 192.168.0.x (A)
So the IPsec tunnel would actually have to be between 192.168.10.x and 192.168.20.x. PCs at B that want to reach A would have to use the 192.168.20.x IPs, and would appear to be coming from 192.168.10.x IPs, and vice versa.
Adding a router on one side to pull off the NAT would work fine if there was only one end that had a conflict (like another existing VPN to the subnet in use at one site), but it doesn't help with a complete overlap.
-
this is pretty interesting article i found:
http://www.undeadly.org/cgi?action=article&sid=20090127205841
technically it is possible :) not on pfsense thought
-
Yeah, that is saying sort of what I said but in a lot more detail. :-)
Adding that to pfSense has been discussed, but it's too much work to make it into 2.0.