Clarification on IPSEC connectivity between 2 sites of Overlapping Subnet

Unanswered Question
Feb 29th, 2008

Hi ,

My current setup have two sites consider it as A & B.

A is having Ip range

B is having Ip range

My doubt is whether IPSEC can be enabled between these 2 site having overlapping IP address Range , Because as of my knowledge if any packet originating from A let us assume source IP - to dest IP - the packet will not be relayed to B site, since it has matching mask in it.

Pls clarify whether IPSEC can be enabled between these sites, IF so how it will not effect from this overlapping issue.

Else where i have to go for IP schema change in one of the site, but it is difficult because this is well established site.

Thanks for your comments on the same.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Danilo Dy Sat, 03/01/2008 - 03:29


More specific route still apllies i.e. longer subnet

I don't think your Site A is a single network segment of 10/8 - if it is, then wil not reach When you subnet 10/8 in Site A, do not use 10.50/16 for Site A.



ARUNPRABHU A Sat, 03/01/2008 - 09:39

Thanks Dandy,

As per you If i have at Site A, then must not be at Site B to establish IPSEC connectivity ,,,, am i right ?

If you are agreeing with the above statement then can you tell me the solution for the same without changing the schema at both sides.

cisco24x7 Sat, 03/08/2008 - 18:53

you need to double NAT on both side.

At site A, you NAT the source of

to and the destination of

At site B, you do the opposite, you nat the

source of to and

the destination will be

Now when the traffics from Site A reach

site B, you keeps the source

the same but you de-nat the destination

of back to

The same thing applies to Site A as well.

when source get to site A,

you keep the source the same but de-nat to 10.0.0/8.

Easy right?

CCIE Security


This Discussion