Ipsec with overlapping subnets on 2.0



  • Hi,

    Has anyone done ipsec on overlapping networks? it is should be doable since 2.0 supports NAT on ipsec.

    Best regards.


  • Rebel Alliance Developer Netgate

    Actually it doesn't support NAT on ipsec in a usable way. You can't do it on a single router with overlapping subnets, and it gets ugly fast no matter how you try it, since you'd have to NAT in both directions.



  • What if you add another router to the network? It is totally impossible to re-ip either of the networks and i'm looking for a stable solution.


  • Rebel Alliance Developer Netgate

    The problem is that you have to NAT both ways, or one side will believe it's local and the traffic will never get back into the tunnel.

    Side A:
    192.168.0.x

    Side B:
    192.168.0.x

    Side A would have to pick another network to talk to B, so let's say:
    192.168.10.x <-> 192.168.0.x (B)

    That might work OK, but the source IP on the traffic going from A to 192.168.10.x is still going to be 192.168.0.x and the return traffic will think it's local. So you end up having to NAT the other direction as well:

    192.168.20.x <-> 192.168.0.x (A)

    So the IPsec tunnel would actually have to be between 192.168.10.x and 192.168.20.x. PCs at B that want to reach A would have to use the 192.168.20.x IPs, and would appear to be coming from 192.168.10.x IPs, and vice versa.

    Adding a router on one side to pull off the NAT would work fine if there was only one end that had a conflict (like another existing VPN to the subnet in use at one site), but it doesn't help with a complete overlap.



  • this is pretty interesting article i found:

    http://www.undeadly.org/cgi?action=article&sid=20090127205841

    technically it is possible :) not on pfsense thought


  • Rebel Alliance Developer Netgate

    Yeah, that is saying sort of what I said but in a lot more detail. :-)

    Adding that to pfSense has been discussed, but it's too much work to make it into 2.0.


Log in to reply