How to use the same network on both sides of an IPsec tunnel

Last modified on 23 Nov, 2022. Revision 12
How to use the same network on both sides of an IPsec tunnel (cOS Core)
Up to date for
cOS Core 14.00
Supported since
cOS Core 11.00
Status OK

Problem:

I want to establish an IPsec tunnel to a remote office, but the local network there conflicts with the local network at the central office. How can i solve this problem without changing the network on either side?

Solution:

This is possible to solve by address translating the network on both sides to something else when these networks need to talk to each other. Lets say that the conflicting network is 192.168.30.0/24, we create a “fake” network that only exists between these 2 sites. So instead of connecting to the remote host 192.168.30.50 we connect to 172.16.1.50. This modification can be done automatically.

How to accomplish this.

Example:

Main Office Network/IPs:

Remote Office Network/IPs:


Main Office IPsec:

Main Office route:

Remote Office IPsec:

Remote Office route:


Main Office Policy Outbound:


Main Office Policy Inbound:


Note: You can not select i.e 172.16.1.0/24 as Source or destination network on the SAT rule’s address translation tab, you need to type 172.16.1.0 and it will translate correctly from the correct source IP and destination IP. 192.168.30.50 becomes 172.16.1.50 etc.

Note-2: The reason why we [Core] route the 172.16.x.x network is because this network will not exist behind any physical interface. It exists in the Core only (so to speak).


The same rules but the other way around on the remote office.


This enables the same network to still exist on both sides, when clients want to connect to hosts on beyond the IPsec tunnel they use the 172.16.x.x address instead of 192.168.x.x and thus we have bypassed the problem and there is no need to change the local network on either side.

Example flow:

Host 192.168.30.93 on the Main office wants to reach an FTP server on the Remote Office. This FTP server has the IP 192.168.30.55 on the remote office. Host 192.168.30.93 then connects to 172.16.2.93 which will traverse the IPsec tunnel then address translated from 172.16.2.93 to 192.168.30.93 in order to match the machine on the remote office local network.

Related articles

Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
Problem with auto-created Core routes
22 Mar, 2021 core ipsec routing
IPsec license usage calculation
14 Apr, 2021 core license ipsec
Does IPsecBeforeRules trigger before Access rules?
8 Sep, 2020 core ipsec rules access
Troubleshooting IPsec tunnels (IKEv1)
7 Dec, 2022 ipsec ike troubleshoot core
Freeing up more memory in the Firewall
23 Aug, 2022 core connections ipsec memory