Site to Site VPN (on both sides same ip subnet)

RouterOS Beginner Basics
1

Hi,
I have a question.
Is it possibile to build a Site-to-Site VPN tunnel (secure) with on both sides Mikrotik routers.
On both sides we use the same IP range and subnet.

2

You would need the subnets to be seperate. If they are exactly the same there is no way to know where the traffic needs to be routed. you would either need to migrate to a different subnet or split the subnet.

3

this is generally a bad idea to do so, but i think the situation is as it is, and you need a solution right now w/o renumbering.
although what i propose is not an universal solution, it might be able to help you with your troubles.
assuming you have two mikrotiks, each on one site, acting as gateways to the outside - this would ease up the story a bit.

one thing you can do is to collect all the resources on each site which needs to be accessed remotely:

  • printers, NASs, servers, whatever
    as far as they use different TCP/UDP ports to communicate, you could establish a GRE/IPIP/SSTP/L2TP/whatever tunnel between the 2 mikrotiks, and do port forwarding to those resources using the addresses connected to the tunnels, and masquerading at the same time. this way you will lose direct IP visibility and you work around the address overlapping issue.

the other risky stuff would involve collapsing your two LANs into one by interconnecting them with an EoIP tunnel (you can have ipsec esp as tunnel protection) - or even with L2TP/SSTP bridged mode. you may not have the same IP address on both side, but you can have the IP pool span over your two sites. for optimal internet access you should have each mikrotik as the GW for the respective site, and you should avoid using DHCP [ or be very focused on address assignment and filter DHCP over the interconnecting tunnel ] - whatever it is, this will be a nasty workaround. all the broadcast traffic will cross the tunnel, which can be a bottleneck. and you may get into situations where a device on one site will use (cause of misconfiguation) the router on the other as GW, efficiently travelling the internet 2-3 times: host - router site A - tunnel (over the internet) - router on site B - internet - router on site B - tunnel (over the internet) - router os site B - host, and this will be working but experienced on the user side as “poorly performing network”.

if you just plan to add 1-1 mikrotiks as extra “hosts” to your existing network on each site, both solution above will work as well.

the proper way is then to renumber one side finally, and use the “normal” routed tunnel to interconnect the two sites.

4

On linux you can use 1:1 NAT

http://www.cahilig.net/2010/10/28/how-enable-11-nat-iptables

This is for with one IP (your VPN IP address in this case) rename al the network and get a NAT working over this Network. You will re-address both networks on a router level and don’t touch your working infraestructure. You need to make a static access for every IP on both sides.

I don’t know yet how to do this using Mikrotik but i think there well be a solution.

Some links on google will help you
http://forum.mikrotik.com/t/nat-plus-1-1-nat/50487/1
http://community.cambiumnetworks.com/t5/Other-PMP-Solutions/MikroTik-1-1-NAT/td-p/22998

5

NAT is a possibility too. Lets say you have 192.168.0.0/24 on both sites. You can make two virtual subnets 192.168.1.0/24 (site1) and 192.168.2.0/24 (site2). Then to connect from one site to another, you’ll be connecting to its virtual address (e.g. to connect from site1 to 192.168.0.20 on site2, you’d use 192.168.2.20).

To make it work, all you need is two rules on each router (with action=netmap):

On router1:

  • take traffic to 192.168.2.0/24 and use srcnat to change source to 192.168.1.0/24
  • take traffic to 192.168.1.0/24 and use dstnat to change destination to 192.168.0.0/24

On router2:

  • take traffic to 192.168.1.0/24 and use srcnat to change source to 192.168.2.0/24
  • take traffic to 192.168.2.0/24 and use dstnat to change destination to 192.168.0.0/24
6

Yup, I’ve posted several times in depth on the forums on performing double NAT for like networks. It’s a valid albeit difficult solution for a new user to implement.

I see it used a lot in enterprises. They setup a VPN with another enterprise but want to keep all traffic of theirs within a specific network. They ensure this by requiring the partner to NAT to a block the first enterprise is aware of. This can be done on one side or both.

In the case of overlapping networks it has to be done on both sides.

7

I use a vpn connection and traditionnal routing. No needs to nat between both subnets.

8

I use a vpn connection and traditionnal routing. No needs to nat between both subnets.

9

But there’s the small detail about same subnets on both ends, traditional routing doesn’t like that very much.

10

You can’t route to the same subnet two times.
This case has 192.168.1.0/24 on both sides and possible two devices with the same IP on this. If you have 192.168.1.1-127 and 192.168.1.128-254 maybe you can route traffic but this is not the case.

11

Sure i agree he needs two different subnets

12

I had an EoIP tunnel between 2 RB750s, both were on 192.168.100.0/24. I only ran DHCP on one router since most PC are
static IPs. This worked fine for over a year and then it quit after an update. I was busy at the time and didn’t try to figure
out what happened, then I started firmware upgrades thinking that would fix it.
I have not tried this again since Jan 3 when support said they saw nothing wrong.

13

You want to create a secure transparent bridge between two sites - there are several ways to make it !
1.You can use EoIP with IPSEC ! /If you have two public ip addresses on both sites/
2.You can use some PPP connection with BCP - L2TP/IPSEC, OpenVPN, SSTP ! /you must have a public address on the site with the VPN server/

14

Hi,

Thanks for your reply.
I have on both sites Static IP addresses.
SO is EoIP the best option?
Is it easy to configure (and save?)

15

No, the best option is that you renumber one of the subnets!
Remember EoIP will make a bridge between your subnets. When you have the same address in use on both of the subnets it will be disaster.

16

Not only static, but also public addresses !
Yes , its easy to configure EoIP with IPSEC ,
but you should know that the maximum speed between the sites will be around 10-15 mbit/s due to software encryption !
If your router is version 3 - RB750Gr3 it supports hardware AES and can achieve speeds above 100 mbps .

17

Hi, thanks for your answere again.

Sorry, I have on both sides Public IP addresses (static assigned by my ISP.
On one side I have a CCR1009 and at the other side I have x86 on ESXi.
Is this also able for hardware encryption?
I have on both sides a speed of 80Mbps down and 30 Mbps up (internet)

Do you have an example of configure a EoIP with IPSEC?

18

example:
side A ip wan address - 111.111.111.111 , ip address LAN bridge 192.168.0.1/24 dhcp pool 192.168.0.100-192.168.0.200
side B ip wan address - 222.222.222.222 , ip address LAN bridge 192.168.0.2/24 , without DHCP server

Side A:

/ip ipsec proposal
set auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=modp4096 numbers=default
/interface eoip
add name=tunnel local-address=111.111.111.111 remote-address=222.222.222.222 ipsec-secret=StrongPassword tunnel-id=101

Side B:

/ip ipsec proposal
set auth-algorithms=sha1 enc-algorithms=aes-256-cbc pfs-group=modp4096 numbers=default
/interface eoip
add name=tunnel local-address=222.222.222.222 remote-address=111.111.111.111 ipsec-secret=StrongPassword tunnel-id=101

Then just put your EoIP interfaces into the correct LANs bridges .