cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
409
Views
1
Helpful
0
Comments
Blue_Bird
VIP
VIP

                                                                       Site-to-Site IPSec VPN  with Overlapping Subnets

Introduction

The Problem

The Solution

Lab Example

Introduction

To configure a site-to-site VPN with overlapping subnets, you'll need to use Network Address Translation (NAT) on at least one side of the tunnel to make the subnets appear unique to the VPN. This involves mapping the internal, overlapping subnet to a unique, non-overlapping subnet for traffic traversing the VPN tunnel.

The Problem:

  • When two networks with identical subnet ranges (e.g., 192.168.1.0/24) need to communicate via a VPN, the routers on each end won't be able to distinguish between the two networks because they have the same IP address space.
  • This leads to routing issues, as the routers won't know which subnet to forward traffic to. 

The Solution:    Address Translation (NAT)

  • Source NAT (SNAT):
    When traffic originates from one site, its source IP address is translated to a different, non-overlapping IP address within a "virtual" subnet before being sent over the VPN tunnel.
  • Destination NAT (DNAT):
    When traffic destined for the remote site reaches the other end of the tunnel, its destination IP address is translated back to the original, overlapping IP address.

                                        Blue_Bird_0-1750332092268.png 

Lab Example:

         Blue_Bird_1-1750332139125.png

Assuming that all required interfaces are up and configured with ip addresses including ISP router. In this example, I am configuring NAT on both the routers R1 and R2.

R1  Configuration

R1(config)#interface Ethernet0/0
R1(config-if)# ip nat outside
!
R1(config)# interface Loopback1
R1(config-if)# ip nat inside
!
R1(config)# ip route 0.0.0.0 0.0.0.0 1.1.1.2
R1(config)# ip nat inside source static network 192.168.1.1 10.10.10.10 /32

R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha512
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 14
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#exit

R1(config)#crypto isakmp key 0 xxxxxxxx address 2.2.2.2

R1(config)# crypto ipsec transform-set TSET1 esp-aes 128 esp-md5-hmac
R1(cfg-crypto-trans)# exit
R1(config)# crypto ipsec security-association lifetime seconds 3600
!
R1(config)# ip access-list extended VPNT1
R1(config-ext-nacl)# permit ip host 10.10.10.10 host 20.20.20.20
R1(config-ext-nacl)# exit
!
R1(config)# crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)# match address VPNT1
R1(config-crypto-map)# set peer 2.2.2.2
R1(config-crypto-map)# set transform-set TSET1
R1(config-crypto-map)# exit
!
R1(config)# int eth0/0
R1(config-if)#crypto map CMAP
R1(config-if)#exit

R2  Configuration

R2(config)#interface Ethernet0/0
R2(config-if)# ip nat outside
!
R2(config)# interface Loopback1
R2(config-if)# ip nat inside
!
R2(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.1
R2(config)# ip nat inside source static network 192.168.1.1 20.20.20.20 /32

R2(config)#crypto isakmp policy 1
R2(config-isakmp)#hash sha512
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 14
R2(config-isakmp)#lifetime 3600
R2(config-isakmp)#encryption aes 256
R2(config-isakmp)#exit

R2(config)#crypto isakmp key 0 xxxxxxxx address 1.1.1.1

R2(config)# crypto ipsec transform-set TSET1 esp-aes 128 esp-md5-hmac
R2(cfg-crypto-trans)# exit
R2(config)# crypto ipsec security-association lifetime seconds 3600
!
R2(config)# ip access-list extended VPNT1
R2(config-ext-nacl)# permit ip host 20.20.20.20 host 10.10.10.10
R2(config-ext-nacl)# exit
!
R2(config)# crypto map CMAP 10 ipsec-isakmp
R2(config-crypto-map)# match address VPNT1
R2(config-crypto-map)# set peer 1.1.1.1
R2(config-crypto-map)# set transform-set TSET1
R2(config-crypto-map)# exit
!
R2(config)# int eth0/0
R2(config-if)#crypto map CMAP
R2(config-if)#exit

Verification:

Blue_Bird_3-1750333860402.png

Blue_Bird_4-1750333931601.png

Blue_Bird_5-1750334020920.png

Blue_Bird_6-1750334214359.png

.............................................................................................. Thank you very much..! ........................................................................

 

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: