IPSEC duplicate subnet problem

KasterBlaster · October 18, 2019, 1:56pm

In IPSEC one of my src and dst address in policies section is:

Src Address 192.168.1.0/24(my LAN)

Dst Address 10.10.1.5 (partner host)

the problem is, that my partner propose to change my sabnet because we are in collision with another partner who has the same sabnet as mine, is it possible to avoid it via netmap and how, if not, what are the possible solutions?

Sob · October 18, 2019, 7:53pm

You can try to convince your partner to make another partner change their subnet.

But netmap is possible too. Choose some virtual subnet to use, with same size as yours, e.g. 192.168.33.0/24. Configure tunnel between this subnet and remote one. And then:

/ip firewall nat
add chain=srcnat src-address=192.168.1.0/24 dst-address=10.10.1.5/?? action=netmap to-addresses=192.168.33.0/24
add chain=dstnat src-address=10.10.1.5/?? dst-address=192.168.33.0/24 action=netmap to-addresses=192.168.1.0/24

KasterBlaster · October 18, 2019, 9:53pm

It was my first suggestion, but then I went back to my old friend mikrotik thanks for the help, i’ll try it on monday!

KasterBlaster · October 24, 2019, 5:57pm

Well, I didnt try at monday , I will try tomorrow, but Im concerned what will be Out interface in the first rule and what In interface in the second rule?

Sob · October 24, 2019, 7:05pm

You don’t have to do anything with interfaces in these rules. But if you want to, out-interface for srcnat and in-interface for dstnat will both be your WAN interface.

KasterBlaster · October 24, 2019, 7:19pm

Thank You so much!

KasterBlaster · October 28, 2019, 9:24am

Well, I have just another question, now on my other tunnels in Policies > Peer: status is unknown for peers despite tunnels are active(PH2 state established), why is that?
Thank You in advance

KasterBlaster · October 29, 2019, 11:25am

Well, cannot establish connection, when try ping targeted remote host in tunell from any LAN client in the log shows next:
firewall info: srcnat: in:(unknown 0) out:WAN interface src-mac 00:1f:b5:xx:xx:xx proto ICMP(type 8, code0) 192.168.x.x>10.x.x.x, len60
also
ipsec info: phase 1 negotiation failed due to time up x.x.x.x(500)<=>x.x.x.x(500)

is that a firewall problem?

Sob · October 29, 2019, 1:53pm

Posted rules will change traffic going from src-address to dst-address. Srcnat will change original source from src-address to to-addresses. Dstnat will change original destination from dst-address to to-addresses. They won’t touch anything else. Since nobody here sees your config, you have to find out if that can match something that would influence other tunnels.