IPSec to two Subnets with same IP-Adress Range



  • Hello,
    we have a problem at our company. We have two customers with the same class B net. (172.12.0.0/16)
    We need a VPN-connection into both nets. Is there a possibility to put one of the customer nets behind NAT?
    So the ip range can stay the same at customer site but we would use some other class B net to access it from our site?
    Is it completly configurable at our site or must we configure it at the customer site?

    Sincerely
    Alex



  • In the current version you can NAT on the phase2. If you control the customer side, NAT their 172.12.0.0 net to something else.



  • @OPUSIT:

    We have two customers with the same class B net. (172.12.0.0/16)

    Before doing any NATing, please double check the ip addressing.

    You probably mean the 172.16.0.0/12 defined in RFC 1918, consisting of 16 class B networks?



  • @dotdash:

    In the current version you can NAT on the phase2. If you control the customer side, NAT their 172.12.0.0 net to something else.

    Does this mean i need to nat it at customer side, but cannot nat it on our side? :(

    @P3R:

    You probably mean the 172.16.0.0/12 defined in RFC 1918, consisting of 16 class B networks?

    Sorry i meant 172.20.0.0/16 :)



  • @OPUSIT:

    Does this mean i need to nat it at customer side, but cannot nat it on our side? :(

    There may be some way to do it on your side, but the easiest thing would be to have them NAT their side to something unique.
    Do you really need to tunnel to the entire /16 for both customers? If you only needed to get to certain boxes at each site, you could split the /16 into two /17's or something.


  • Rebel Alliance Developer Netgate

    If the conflict is remote, you cannot fix it locally. One or the other of the remote sites will have to NAT their traffic so your side does not see a conflict.



  • Thank you very much!  :)


Log in to reply