Nat for ipsec with same subnets

torrington · August 7, 2023, 1:28am

Hello,

My local network is 172.24.0.0/16

I need two ipsec site to site vpn’s, but both remote sides have subnet 192.168.0.0/24

As expected routeros won’t let me enable the two policies at the same time.

I was wondering what nat or any other configuration would be suggested to accomplish this.

Thanks for any help on the matter.

Kentzo · August 7, 2023, 6:08pm

*Not talking from experience

How about using your destination site selection criteria to perform NAT via netmap / masquerade of source addresses? With that you will be able to have distinct policies, i.e. instead of 172.24.0.0/16 ↔ 192.168.0.0/24 you could have 10.0.0.0/16 ↔ 192.168.0.0/24 for one site and 10.1.0.0/16 ↔ 192.168.0.0/24 for another.

torrington · August 8, 2023, 1:30am

Thanks for your reply.

It sound like a good idea, but can you give a hint on how to implement?

Kentzo · August 8, 2023, 2:35am

I have in mind something like this:

/ip/firewall/nat
add chain=srcnat action=netmap *tunnel-1 matching* src-address=172.24.0.0/16 dst-address=192.168.0.0/24 to-addresses=10.0.0.0/16
add chain=dstnat action=netmap ipsec-policy=in,ipsec src-address=192.168.0.0/24 dst-address=10.0.0.0/16 to-addresses=172.24.0.0/16

add chain=srcnat action=netmap *tunnel-2 matching* src-address=172.24.0.0/16 dst-address=192.168.0.0/24 to-addresses=10.1.0.0/16
add chain=dstnat action=netmap ipsec-policy=in,ipsec src-address=192.168.0.0/24 dst-address=10.1.0.0/16 to-addresses=172.24.0.0/16

/ip/ipsec/policies
add tunnel=yes action=encrypt peer=tunnel-1 src-address=10.0.0.0/16 dst-address=192.168.0.0/24 
add tunnel=yes action=encrypt peer=tunnel-2 src-address=10.1.0.0/16 dst-address=192.168.0.0/24 
# Other IPsec specific configuration

I don’t know how netmap affects connection tracking, hopefully it just works. But watch out for connection-state=invalid packets being dropped, just in case.

torrington · August 14, 2023, 2:45am

Hi Kentzo, sorry for the late response.

I still haven’t found the time to try it, but I wonder two things.

What do you mean by tunnel-1 matching
if the destination address is always 192.168.0.0/24 how would the router will distinguish when I want to go through tunnel 1 from when I want to go through tunnel 2 ?

Thank you.

Kentzo · August 14, 2023, 4:32pm

[1] is related to [2]. You need to come up with a criteria to determine which of the 192.168.2.0 networks you want to reach. Once you have that, the nat rule will change src address to match specific ipsec policy.

Perhaps it is possible to map destination address such as that 192.168.2.0 would appear as either 10.0.0.0 or 10.1.0.0 (depending on the tunnel). However, I’m not sure what firewall rules are needed for that, see the Packet Flow reference. On input you want to mangle before policy matching and on output you want to mangle after policy matching.

Again, all of these is just an idea.

I see that similar question was discussed here before, did you try any of the solutions?

LdB · August 15, 2023, 8:00am

We need to understand why you are hellbent on having overlapping subnets … its a lot easier to not