Nat for ipsec with same subnets

torrington · Mon Aug 07, 2023 4:28 am

Hello,

My local network is 172.24.0.0/16

I need two ipsec site to site vpn's, but both remote sides have subnet 192.168.0.0/24

As expected routeros won't let me enable the two policies at the same time.

I was wondering what nat or any other configuration would be suggested to accomplish this.

Thanks for any help on the matter.

Kentzo · Mon Aug 07, 2023 9:08 pm

*Not talking from experience

How about using your destination site selection criteria to perform NAT via netmap / masquerade of source addresses? With that you will be able to have distinct policies, i.e. instead of 172.24.0.0/16 <-> 192.168.0.0/24 you could have 10.0.0.0/16 <-> 192.168.0.0/24 for one site and 10.1.0.0/16 <-> 192.168.0.0/24 for another.

torrington · Tue Aug 08, 2023 4:30 am

Thanks for your reply.

It sound like a good idea, but can you give a hint on how to implement?

Kentzo · Tue Aug 08, 2023 5:35 am

I have in mind something like this:

/ip/firewall/nat
add chain=srcnat action=netmap *tunnel-1 matching* src-address=172.24.0.0/16 dst-address=192.168.0.0/24 to-addresses=10.0.0.0/16
add chain=dstnat action=netmap ipsec-policy=in,ipsec src-address=192.168.0.0/24 dst-address=10.0.0.0/16 to-addresses=172.24.0.0/16

add chain=srcnat action=netmap *tunnel-2 matching* src-address=172.24.0.0/16 dst-address=192.168.0.0/24 to-addresses=10.1.0.0/16
add chain=dstnat action=netmap ipsec-policy=in,ipsec src-address=192.168.0.0/24 dst-address=10.1.0.0/16 to-addresses=172.24.0.0/16

/ip/ipsec/policies
add tunnel=yes action=encrypt peer=tunnel-1 src-address=10.0.0.0/16 dst-address=192.168.0.0/24 
add tunnel=yes action=encrypt peer=tunnel-2 src-address=10.1.0.0/16 dst-address=192.168.0.0/24 
# Other IPsec specific configuration

I don't know how netmap affects connection tracking, hopefully it just works. But watch out for connection-state=invalid packets being dropped, just in case.

torrington · Mon Aug 14, 2023 5:45 am

Hi Kentzo, sorry for the late response.

I still haven't found the time to try it, but I wonder two things.

1) What do you mean by *tunnel-1 matching*
2) if the destination address is always 192.168.0.0/24 how would the router will distinguish when I want to go through tunnel 1 from when I want to go through tunnel 2 ?

Thank you.

Kentzo · Mon Aug 14, 2023 7:32 pm

[1] is related to [2]. You need to come up with a criteria to determine which of the 192.168.2.0 networks you want to reach. Once you have that, the nat rule will change src address to match specific ipsec policy.

Perhaps it is possible to map destination address such as that 192.168.2.0 would appear as either 10.0.0.0 or 10.1.0.0 (depending on the tunnel). However, I'm not sure what firewall rules are needed for that, see the Packet Flow reference. On input you want to mangle before policy matching and on output you want to mangle after policy matching.

Again, all of these is just an idea.

I see that similar question was discussed here before, did you try any of the solutions?

LdB · Tue Aug 15, 2023 11:00 am

We need to understand why you are hellbent on having overlapping subnets ... its a lot easier to not

Nat for ipsec with same subnets

Nat for ipsec with same subnets

Re: Nat for ipsec with same subnets

Re: Nat for ipsec with same subnets

Re: Nat for ipsec with same subnets

Re: Nat for ipsec with same subnets

Re: Nat for ipsec with same subnets

Re: Nat for ipsec with same subnets

Who is online