Community discussions

MikroTik App
 
danieltnc1981
newbie
Topic Author
Posts: 32
Joined: Sun Jul 16, 2017 1:27 pm

Vpn Ipsec With Subnet 192.168.1.0/20 And 192.168.2.0/24

Tue Oct 11, 2022 9:40 pm

Good evening everyone.
I need your advice.
I have two locations.
The first office is on the 192.168.1.0/24 network.
The second office is on the 192.168.2.0/24 network.
I have activated a vpn between the two IPSEC offices and everything works.
The problem is that for site 1 I will have to extend the netmask and so it will
192.168.1.0/20

Unfortunately, with this netmask from site 2 I cannot access the PCs of site 1, it seems it is not possible to set the destination 192.168.1.0/20 on the Mikrotik.

I attach Screen
You do not have the required permissions to view the files attached to this post.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Vpn Ipsec With Subnet 192.168.1.0/20 And 192.168.2.0/24

Tue Oct 11, 2022 10:20 pm

Address of network that has /20 mask and includes 192.168.1.x is 192.168.0.0/20. But it also includes 192.168.2.0/24 that you have on other side and it's likely to cause problems.
 
danieltnc1981
newbie
Topic Author
Posts: 32
Joined: Sun Jul 16, 2017 1:27 pm

Re: Vpn Ipsec With Subnet 192.168.1.0/20 And 192.168.2.0/24

Tue Oct 11, 2022 10:43 pm

Thanks for your reply
So how could I do to see the devices of 192.168.1.0/20 from my network class 192.168.2.0/24 and vice versa?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Vpn Ipsec With Subnet 192.168.1.0/20 And 192.168.2.0/24

Wed Oct 12, 2022 1:16 am

Clean solution is to avoid overlapping subnets. Your new /20 will span from 192.168.0.0 to 192.168.15.255. So either use that and renumber 192.168.2.0/24 to something else (like 192.168.20.0/24). Or keep 192.168.2.0/24 and use 192.168.16.0/20 (192.168.16-31.*) instead of 192.168.0.0/20. You'll be changing config of current 192.168.1.x devices anyway (because of new mask), so it might not be too difficult. Or if you wouldn't need to use /20 as whole and just more addresses in separate smaller subnets would be enough, you could add those as non-continuous ones, i.e. keep 192.168.1.0/24, skip 192.168.2.0/24, and add e.g. 192.168.3.0/24, 192.168.4.0/23, etc, or whatever would fit your needs (and then you'd add separate policies for those).

If you're sure that renumbering is not an option on either side, it's possible to keep overlapping subnets and create virtual ones for tunnel. So for real 192.168.0.0/20 there could be virtual 192.168.16.0/20, and for real 192.168.2.0/24 it could be 192.168.32.0/24. Tunnel would be for 192.168.16.0/20 <-> 192.168.32.0/24 and there would have to be NAT (netmap, both srcnat and dstnat) on both routers. Then if e.g. real 192.168.2.100 would like to connect to real 192.168.1.200, it would be have to connect to 192.168.17.200, and real 192.168.1.200 would then see source as 192.168.32.100. So it would work, but you can imagine that it can bring some headaches too. Edit: Both virtual subnets could be /24, because only the actually overlapping part is the problem, but it doesn't make it much better.

Who is online

Users browsing this forum: gkoleff, trmns and 45 guests