Site-to-Site IPSec VPN with Overlapping Subnets
Introduction
The Problem
The Solution
Lab Example
Introduction
To configure a site-to-site VPN with overlapping subnets, you'll need to use Network Address Translation (NAT) on at least one side of the tunnel to make the subnets appear unique to the VPN. This involves mapping the internal, overlapping subnet to a unique, non-overlapping subnet for traffic traversing the VPN tunnel.
The Problem:
- When two networks with identical subnet ranges (e.g., 192.168.1.0/24) need to communicate via a VPN, the routers on each end won't be able to distinguish between the two networks because they have the same IP address space.
- This leads to routing issues, as the routers won't know which subnet to forward traffic to.
The Solution: Address Translation (NAT)
- Source NAT (SNAT):
When traffic originates from one site, its source IP address is translated to a different, non-overlapping IP address within a "virtual" subnet before being sent over the VPN tunnel. - Destination NAT (DNAT):
When traffic destined for the remote site reaches the other end of the tunnel, its destination IP address is translated back to the original, overlapping IP address.
Lab Example:
Assuming that all required interfaces are up and configured with ip addresses including ISP router. In this example, I am configuring NAT on both the routers R1 and R2.
R1 Configuration
R1(config)#interface Ethernet0/0
R1(config-if)# ip nat outside
!
R1(config)# interface Loopback1
R1(config-if)# ip nat inside
!
R1(config)# ip route 0.0.0.0 0.0.0.0 1.1.1.2
R1(config)# ip nat inside source static network 192.168.1.1 10.10.10.10 /32
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#hash sha512
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 14
R1(config-isakmp)#lifetime 3600
R1(config-isakmp)#encryption aes 256
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 xxxxxxxx address 2.2.2.2
R1(config)# crypto ipsec transform-set TSET1 esp-aes 128 esp-md5-hmac
R1(cfg-crypto-trans)# exit
R1(config)# crypto ipsec security-association lifetime seconds 3600
!
R1(config)# ip access-list extended VPNT1
R1(config-ext-nacl)# permit ip host 10.10.10.10 host 20.20.20.20
R1(config-ext-nacl)# exit
!
R1(config)# crypto map CMAP 10 ipsec-isakmp
R1(config-crypto-map)# match address VPNT1
R1(config-crypto-map)# set peer 2.2.2.2
R1(config-crypto-map)# set transform-set TSET1
R1(config-crypto-map)# exit
!
R1(config)# int eth0/0
R1(config-if)#crypto map CMAP
R1(config-if)#exit
R2 Configuration
R2(config)#interface Ethernet0/0
R2(config-if)# ip nat outside
!
R2(config)# interface Loopback1
R2(config-if)# ip nat inside
!
R2(config)# ip route 0.0.0.0 0.0.0.0 2.2.2.1
R2(config)# ip nat inside source static network 192.168.1.1 20.20.20.20 /32
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#hash sha512
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 14
R2(config-isakmp)#lifetime 3600
R2(config-isakmp)#encryption aes 256
R2(config-isakmp)#exit
R2(config)#crypto isakmp key 0 xxxxxxxx address 1.1.1.1
R2(config)# crypto ipsec transform-set TSET1 esp-aes 128 esp-md5-hmac
R2(cfg-crypto-trans)# exit
R2(config)# crypto ipsec security-association lifetime seconds 3600
!
R2(config)# ip access-list extended VPNT1
R2(config-ext-nacl)# permit ip host 20.20.20.20 host 10.10.10.10
R2(config-ext-nacl)# exit
!
R2(config)# crypto map CMAP 10 ipsec-isakmp
R2(config-crypto-map)# match address VPNT1
R2(config-crypto-map)# set peer 1.1.1.1
R2(config-crypto-map)# set transform-set TSET1
R2(config-crypto-map)# exit
!
R2(config)# int eth0/0
R2(config-if)#crypto map CMAP
R2(config-if)#exit
Verification:
.............................................................................................. Thank you very much..! ........................................................................
