How to use the same network on both sides of an IPsec tunnel

Last modified on 23 Nov, 2022. Revision 12
How to use the same network on both sides of an IPsec tunnel (cOS Core)
Up to date for
cOS Core 14.00
Supported since
cOS Core 11.00
Status OK


I want to establish an IPsec tunnel to a remote office, but the local network there conflicts with the local network at the central office. How can i solve this problem without changing the network on either side?


This is possible to solve by address translating the network on both sides to something else when these networks need to talk to each other. Lets say that the conflicting network is, we create a “fake” network that only exists between these 2 sites. So instead of connecting to the remote host we connect to This modification can be done automatically.

How to accomplish this.


Main Office Network/IPs:

  • Local Network:
  • External IP:

Remote Office Network/IPs:

  • Local Network:
  • External IP:

Main Office IPsec:

  • Name: Stockholm_IPsec
  • Local Network:
  • Remote Network:
  • Remote Endpoint:
  • Keep "Add route statically" enabled

Main Office route:

  • [core]

Remote Office IPsec:

  • Name: Gothenborg_IPsec
  • Local Network:
  • Remote Network:
  • Remote Endpoint:
  • Keep "Add route statically" enabled

Remote Office route:

  • [core]

Main Office Policy Outbound:

  • Action:Allow
    Destination Interface:Stockholm_IPsec
    Destination Network:"Fake_Remote_Network"
    Source Translation:Sat
    Address Action:Transposed
    Base IP Address:

Main Office Policy Inbound:

  • Action:Allow
    Destination Interface:any
    Destination Network:"Fake_Local_Network"
    Source Translation:Nat
    Address Action:Outgoing Interface Address
    Destination Translation:Sat
    Address Action:Transposed
    Base IP Address:

Note: You can not select i.e as Source or destination network on the SAT rule’s address translation tab, you need to type and it will translate correctly from the correct source IP and destination IP. becomes etc.

Note-2: The reason why we [Core] route the 172.16.x.x network is because this network will not exist behind any physical interface. It exists in the Core only (so to speak).

The same rules but the other way around on the remote office.

This enables the same network to still exist on both sides, when clients want to connect to hosts on beyond the IPsec tunnel they use the 172.16.x.x address instead of 192.168.x.x and thus we have bypassed the problem and there is no need to change the local network on either side.

Example flow:

Host on the Main office wants to reach an FTP server on the Remote Office. This FTP server has the IP on the remote office. Host then connects to which will traverse the IPsec tunnel then address translated from to in order to match the machine on the remote office local network.

Related articles

Configuring L2TP/IPsec Server using PSK
11 Jan, 2023 ipsec core vpn
Setup of a Layer-3 bridge over IPsec in cOS Core
12 Apr, 2023 core proxyarp arp ipsec routing
Configuring public certificates in NetWall firewalls
18 Mar, 2024 core certificate oneconnect ipsec vpn
cOS Core L2TP server setup with Windows Server CA certificates
21 Feb, 2023 ipsec certificate windows ca core
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
Certificate update in InControl global domain on certificate that is used on firewall(s)
18 Mar, 2024 core incontrol certificate oneconnect ipsec vpn
Setting up OSPF with IPsec in cOS Core
16 Apr, 2024 core routing ospf ipsec
cOS Core IPsec IKEv1 "No_Proposal_Chosen" error in 14.00.10
4 Aug, 2023 core ipsec troubleshoot ike
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Split tunneling in cOS Core with Windows L2TP/IPsec clients
29 Mar, 2023 ipsec core windows vpn l2tp
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
cOS Core IKEv2 tunnel setup with certificates for iOS clients
5 Apr, 2023 core nps ipsec radius legacy
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory
Route failover with IPsec tunnels in cOS Core
13 Feb, 2023 ipsec core routing failover