ipsec vpn - same local subnets

azim · February 1, 2016, 1:00pm

hey,

I have a issue…
I watched few tutorials and maybe i know how to configure a ipsec vpn.
But… both sides have the same subnet ex. 172.16.1.0 /24

How can I resolved this issue ?

Revelation · February 1, 2016, 2:06pm

What do you mean they have the same local subnet?

What are the “WAN” IPs?

What is the IP for your Tunnel?

What are the IPs of all/any networks behind each router?

What is the actual problem you are experiencing?

azim · February 1, 2016, 2:15pm

for ex:

MT1
wan - 1.1.1.1
lan - 172.16.1.0 /24

MT2
wan - 2.2.2.2
lan 172.16.1.0 /24

Now how can I set site to site ipsec vpn tunel ? Lan adress can’t be re-addressed.

Revelation · February 1, 2016, 2:47pm

LAN addresses can always be re-IPed. Anyone who says otherwise is simply lazy.

The only alternative is much more labor intensive on the setup and maintenance.

azim · February 1, 2016, 2:59pm

Of course it can. But in large organization this change is too big. too many to change: routing, acl, policies, etc.
So I asked for the other opportunities.

Revelation · February 1, 2016, 3:07pm

If it is a large organization then they would have paid attention to the IP addressing scheme from the beginning.

Solution:
Create 255 interfaces with manually assigned IPs in the 10.0.x.0/24 address space on each router

Create 255 src-nats for each device on the LAN giving it a 1-to-1 nat of a specific 10.0.x.x IP on each router

Create 255 dst-nats for each device pointing from the previously specified 10.0.x.x IP to a single host device on each router

Create a Tunnel between the routers 10.99.0.0/26 (example only)

Assign IP routes over the tunnel for each 10.0.x.0/24 address space.

Keep in mind that every time an IP address changes you will have to manually update both the src-nat and the dst-nat to ensure connectivity to the correct device remains on every router.

Good luck managing that…

jaytcsd · February 3, 2016, 8:37am

I’m running an EOIP tunnel with IPsec between 2 routerboards on 192.168.100.0/24.
Site 1 LAN is 192.168.100.1, site 2 is 192.168.100.10.
I only have 10 devices so it’s easy to keep track of addressing.

Site 1 is running dhcp, but most of my devices are static. Site 2 devices use the .10 router as their gateway.

Ping times between devices is under 100 ms for 2100 miles between routers.

azim · February 8, 2016, 12:55pm

hmm
this is a tut for cisco:
https://www.youtube.com/watch?v=ARTXlo2hFQ0

how can i do the same on mikrotik ? this resolved me problem.

jaytcsd · February 9, 2016, 5:32am

On the road for a few days, will look at the video and let you know, maybe, I’m not an expert.

chechito · February 9, 2016, 5:49am

maybe proxy arp can help in that situation

jaytcsd · February 12, 2016, 8:13am

Have not looked at the video, here are my rules with your IPs

site 1

/interface eoip> pr
Flags: X - disabled, R - running
0 R name="to site 2" mtu=auto actual-mtu=1424 l2mtu=65535
mac-address=(blanked) arp=enabled local-address=1.1.1.1
remote-address=2.2.2.2 tunnel-id=0 dscp=inherit clamp-tcp-mss=yes
dont-fragment=no ipsec-secret="monkey" allow-fast-path=no

/interface bridge port> pr
Flags: X - disabled, I - inactive, D - dynamic

INTERFACE BRIDGE PRIORITY PATH-COST HORIZON

0 LAN port 2 bridge1 0x80 10 none
1 to site 2 bridge1 0x80 10 none

site 2

/interface eoip> pr
Flags: X - disabled, R - running
0 R name="to site 1" mtu=auto actual-mtu=1424 l2mtu=65535
mac-address=(blanked) arp=enabled local-address=2.2.2.2
remote-address=1.1.1.1 tunnel-id=0 dscp=inherit clamp-tcp-mss=yes
dont-fragment=no ipsec-secret="monkey" allow-fast-path=no

/interface bridge port> pr
Flags: X - disabled, I - inactive, D - dynamic

INTERFACE BRIDGE PRIORITY PATH-COST HORIZON

0 LAN port 2 bridge1 0x80 10 none
1 to site 1 bridge1 0x80 10 none