cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1198
Views
6
Helpful
21
Replies

IPsec VPN with a peer IP address and remote LAN in the same subnet

Ab26
Level 1
Level 1

Hi,
I recently set up a site-to-site IPsec VPN tunnel with a customer, and soon after informed me that they use the same subnet for their VPN Peer IP address and the LAN behind it. They can't do NATing at the moment. They've even planned for some of our LAN traffic to communicate directly with their peer IP. I have never seen a VPN with the same IP addressing scenario, so I'm not sure whether this set up will work or not. I have tried to search online but with no succuss.  
The VPN tunnel is up, and we have set it up as a route-based tunnel using tunnel mode for the IPsec transform-set. Can anyone provide insights or confirmation on whether this configuration will work? 

BTW my router is a has many VPN peers, and I have myself set up many VPN tunnels. My question is not about configuring a VPN tunnel but the fact that the remote peer and remote LAN are in the same subnet. 

Site A (My side):
Peer IP: 10.10.10.1 , LAN 10.10.0.0/24 (different subnet)

Site B (Customer_X):
Peer IP 20.20.20.55, LAN 20.20.20.0/24 ==> here's the issue (same subnet)
Problem: Customer's VPN Peer IP is in the same subnet as their LAN

Current config:
----------------
interface Tunnel5
vrf forwarding Customer_X
ip address 169.254.0.5 255.255.255.255
ip tcp adjust-mss 1350
tunnel source 10.10.10.1
tunnel mode ipsec ipv4
tunnel destination 20.20.20.55
tunnel vrf frontdoor
tunnel protection ipsec profile ipsec-profile
!
interface GigabitEthernet0/5
description ***out to the internet***
vrf forwarding frontdoor
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1360
!
ip route vrf Customer_X 20.20.20.0 255.255.255.0 Tunnel5
!

1 Accepted Solution

Accepted Solutions

@Ab26 I tested your scenario and it will work with a route based VPN.

Example:

interface Tunnel1
 vrf forwarding CUSTOMER-X
 ip address 172.21.1.1 255.255.255.255
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel destination 2.2.2.1
 tunnel vrf FRONTDOOR
 tunnel protection ipsec profile IPSEC-PROFILE
!
interface Loopback10
 vrf forwarding CUSTOMER-X
 ip address 10.10.0.1 255.255.255.255
!
ip route vrf FRONTDOOR 0.0.0.0 0.0.0.0 1.1.1.254
ip route vrf CUSTOMER-X 2.2.2.0 255.255.255.0 Tunnel1

R1#ping vrf CUSTOMER-X 2.2.2.3 source lo10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.3, timeout is 2 seconds:
Packet sent with a source address of 10.10.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/38 ms
R1#
*Aug 3 17:37:41.587: ICMP: echo reply rcvd, src 2.2.2.3, dst 10.10.0.1, topology BASE, dscp 0 topoid 2

From the remote peer side

interface Loopback0
vrf forwarding LAN
ip address 2.2.2.3 255.255.255.255
!
R2#show run | i route
ip route vrf LAN 10.0.0.0 255.0.0.0 Tunnel1
R2# debug ip icmp
*Aug 3 17:37:43.199: ICMP: echo reply sent, src 2.2.2.3, dst 10.10.0.1, topology BASE, dscp 0 topoid 1
*Aug 3 17:37:43.218: ICMP: echo reply sent, src 2.2.2.3, dst 10.10.0.1, topology BASE, dscp 0 topoid 1

R2#show crypto ipsec sa | i encaps|decaps
#pkts encaps: 122, #pkts encrypt: 122, #pkts digest: 122
#pkts decaps: 134, #pkts decrypt: 134, #pkts verify: 134 

View solution in original post