Clarification on IPSEC connectivity between 2 sites of Overlapping Subnet

ARUNPRABHU A · ‎02-29-2008

Hi ,

My current setup have two sites consider it as A & B.

A is having Ip range 10.0.0.0/8

B is having Ip range 10.50.0.0/16

My doubt is whether IPSEC can be enabled between these 2 site having overlapping IP address Range , Because as of my knowledge if any packet originating from A let us assume source IP - 10.0.0.5 to dest IP - 10.50.0.10 the packet will not be relayed to B site, since it has matching mask in it.

Pls clarify whether IPSEC can be enabled between these sites, IF so how it will not effect from this overlapping issue.

Else where i have to go for IP schema change in one of the site, but it is difficult because this is well established site.

Thanks for your comments on the same.

Danilo Dy · ‎03-01-2008

Hi,

More specific route still apllies i.e. longer subnet

I don't think your Site A is a single network segment of 10/8 - if it is, then 10.0.0.5 wil not reach 10.50.0.10. When you subnet 10/8 in Site A, do not use 10.50/16 for Site A.

Regards,

Dandy

ARUNPRABHU A · ‎03-01-2008

Thanks Dandy,

As per you If i have 10.0.0.0/8 at Site A, then 10.50.0.0/16 must not be at Site B to establish IPSEC connectivity ,,,, am i right ?

If you are agreeing with the above statement then can you tell me the solution for the same without changing the schema at both sides.

cisco24x7 · ‎03-08-2008

you need to double NAT on both side.

At site A, you NAT the source of 10.0.0.0/8

to 11.0.0.0/8 and the destination of

172.16.0.0/16

At site B, you do the opposite, you nat the

source of 10.50.0.0/16 to 172.16.0.0/16 and

the destination will be 11.0.0.0/8

Now when the traffics from Site A reach

site B, you keeps the source 11.0.0.0/8

the same but you de-nat the destination

of 172.16.0.0/16 back to 10.50.0.0/16.

The same thing applies to Site A as well.

when source 172.16.0.0/16 get to site A,

you keep the source the same but de-nat

11.0.0.0/8 to 10.0.0/8.

Easy right?

CCIE Security