Multiple Phase 1 Connections with Single Phase 2 Children, IP Subnet Overlaps
We currently have two clients connected to our pfSense firewall using IPSec VPN. We are going to be adding a third client using IPSec VPN, and they have a range of addresses that overlap one of our other clients. For example:
Client 1: Remote gateway: XX.XX.XX.XX, Local Subnet: 192.168.2.0/24, Phase 2 Remote Subnet: 10.101.0.0/14 (Client 1 has a very large subnet range).
Client 3: Remote gateway: YY.YY.YY.YY, Local Subnet: 192.168.2.101, Phase 2 Remote Subnet: 10.101.1.0/24 (Client 2 has a very small subnet range, but overlaps Client 1's subnet range).
Can someone tell me:
1. If there is one device on each network with the same local IP, will we encounter a "conflict" when trying to connect to it?
2. If question one is true, how can I work with the local IT group to get this network connected to prevent conflicts (or preferably, how can I change my own configuration?).
3. In the future, how can I best address this issue with new clients?
I am currently running v2.2.4.
Thank you all very much!
You could build you IPsec tunnels to only include the unique subnets between the sites. The IPsec tunnels don't have to be the entire local subnet. But you will only be able to access the subnets you build in the tunnels.
If both sites have the same IP and you want to access them both over the VPN. you have no choice, you have to renumber one of the sites.
It's good practice to always have each client site with a different subnets
Thank you for your reply! Client 1 and Client 3 have two different Remote gateway IP Addresses. Is this what you were referring to when you said: "If both sites have the same IP and you want to access them both over the VPN. you have no choice, you have to renumber one of the sites."? Or were you referring to the pools of remote subnet addresses? Thank you!
No the remote subnet's are all that matter, you would never have the same remote IP, this is the public IP address assigned by your ISP.
Take for example
Client 1 Server: 10.101.1.10/14
Client 2 Server: 10.101.1.10/24
How would your device know at your core location what server you want to access. Bottom line is all your remote locations need to have unique subnets.
Thank you very much for your help!
My understanding is that this https://forum.pfsense.org/index.php?topic=99477.0 post discusses the same type of issue.
In the second post, Derelict says that you can 1:1 NAT map the remote LAN, and present their remote subnet as something else:
As far as I know, at least one of the SonicWALLs will have to 1:1 NAT their LAN and present it as something else so pfSense doesn't have two routes to the same subnet.
If the client does this (or remaps the subnet) we should have no conflicts with the other two subnets, correct? Are there any other avenues/solutions to make a broad change to a large range of IP addresses on a subnet?