VPN to VPN routing

vikaspurohit1 · ‎07-29-2016

I took this diagram from Cisco docs(https://supportforums.cisco.com/document/12110341/routing-traffic-between-two-site-site-vpn-tunnels) providing a great explanation for VPN to VPN routing.

I am working on exactly the same scenario, but to provide a connection between customer (can be seen as PointA)and our hosting partner (can be seen as Point c), but two different entities and organizations.

As per this document, the subnets that need to be communicating with each other (192.168.1.0 and 192.168.3.0) have been exempted from NAT. I understand that we are not exposing the internal subnets to Internet as we are encrypting under IPSEC, but my hosting partner will come to know the internal subnets of customer and vice-versa. This will also have issues if there are overlapping subnets in customer and hosting partner.

Is it possible to provide NAT and then perform this kind of routing, so that we can have avoid exposing internal addresses to the outside entities.

mvsheik123 · ‎07-29-2016

Hi,

From my understanding - A do not want C to know Internal IP scheme and viceversa. If that is the case..yes you can use policy NAT where 192.168.1.0 will be nat'd to 192.168.10.0 and same with other end. Use the new subnet in crypto ACLs. Please search online for config examples (search by overlapping networks key word as well).

hth

MS

vikaspurohit1 · ‎07-31-2016

Hey.. Thanks.

I had checked VPN routing for overlapping networks but that was a direct IPSEC between end points. I understand that going by the NAT order of operations, it should not impact even when we are routing between two VPNs but since I did not see an exact similar setup in any configuration example, so just want to confirm from experts, whether it would work or not.

istintcisco · ‎11-25-2016

My problem is slightly different. We have two remote sites and we need to access both from the HQ. The two remote sites have L2 connectivity which means the subnet overlaps at the remote site. The reason for this deployment is to have a redundant path in case one remote site fails. That is to say from HQ = 172.16.0.0/16 to Remote1 =192.168.0.0/16 and to Remote2 = 192.168.0.0/16.

How do I configure this VPN from the HQ to Remote1 and Remote2?

Richard Burts · ‎11-25-2016

Can you clarify the topology at the remote sites? Are you saying that it is two sites and that they are layer 2 connected? Does this mean that a host at site 1 can arp for a host at site 2 and be able to communicate directly? If that is the case then I do not see a way for a site to site VPN to HQ to provide effective redundancy. You might be able to do something with L2TPv3 to provide a redundant path but I do not see how you could accomplish it with IPsec.

HTH

Rick

HTH

Rick

istintcisco · ‎11-25-2016

The VPN from HQ to R1 is working fine. However, to ensure that connectivity to the remote network 192.168.0.0/16, a VPN from HQ to R2 is needed. But as you can see, both are connected to the same internal network. R1 and R2 are not geographically located in the same place.