Phase 2 BINAT same subnet on remote and local point to point
-
Is the BINAT feature for phase to for a situation where the remote network and the local network for phase 2 in a vpn is the same? Does it allow translating to a intermediary subnet so that VPN can still be established?
-
Yes but if both sides have the same LAN then both sides must NAT.
Imagine a scenario where Site A and Site B have 192.168.1.1 for the LAN.
Site A will use a fake/NAT subnet of 10.0.1.0/24, Site B will use 10.0.2.0/24
Site A's P2 will have:
Local: 192.168.1.0/24
NAT/BINAT: 10.0.1.0/24
Remote: 10.0.2.0/24Site B's P2 will have:
Local: 192.168.1.0/24
NAT/BINAT: 10.0.2.0/24
Remote: 10.0.1.0/24And then to reach each other, they each use the appropriate 10.0.x.x addresses.
-
Thanks jimp.
-
So what about this situation:
Site A:
Using a (Interface with) subnet with 192.168.1.0/24 different network. (Not part of VPN tunnel)
IPSEC P2 Local Subnet is 172.20.20.0/24
Site B:
LAN is 192.168.1.0/24
P2 local is using this 192.168.1.0/24 subnet.
What would be the proper way to use BINAT or is it not needed? Will the IPSEC tunnel know to direct traffic for the 172.20.20.0/24 going to 192.168.1.0/24 through the tunnel even though there is annother interface using 192.168.1.0/24?