Page 1 of 1
Nat for ipsec with same subnets
Posted: Mon Aug 07, 2023 4:28 am
by torrington
Hello,
My local network is 172.24.0.0/16
I need two ipsec site to site vpn's, but both remote sides have subnet 192.168.0.0/24
As expected routeros won't let me enable the two policies at the same time.
I was wondering what nat or any other configuration would be suggested to accomplish this.
Thanks for any help on the matter.
Re: Nat for ipsec with same subnets
Posted: Mon Aug 07, 2023 9:08 pm
by Kentzo
*Not talking from experience
How about using your destination site selection criteria to perform NAT via netmap / masquerade of source addresses? With that you will be able to have distinct policies, i.e. instead of 172.24.0.0/16 <-> 192.168.0.0/24 you could have 10.0.0.0/16 <-> 192.168.0.0/24 for one site and 10.1.0.0/16 <-> 192.168.0.0/24 for another.
Re: Nat for ipsec with same subnets
Posted: Tue Aug 08, 2023 4:30 am
by torrington
Thanks for your reply.
It sound like a good idea, but can you give a hint on how to implement?
Re: Nat for ipsec with same subnets
Posted: Tue Aug 08, 2023 5:35 am
by Kentzo
I have in mind something like this:
/ip/firewall/nat
add chain=srcnat action=netmap *tunnel-1 matching* src-address=172.24.0.0/16 dst-address=192.168.0.0/24 to-addresses=10.0.0.0/16
add chain=dstnat action=netmap ipsec-policy=in,ipsec src-address=192.168.0.0/24 dst-address=10.0.0.0/16 to-addresses=172.24.0.0/16
add chain=srcnat action=netmap *tunnel-2 matching* src-address=172.24.0.0/16 dst-address=192.168.0.0/24 to-addresses=10.1.0.0/16
add chain=dstnat action=netmap ipsec-policy=in,ipsec src-address=192.168.0.0/24 dst-address=10.1.0.0/16 to-addresses=172.24.0.0/16
/ip/ipsec/policies
add tunnel=yes action=encrypt peer=tunnel-1 src-address=10.0.0.0/16 dst-address=192.168.0.0/24
add tunnel=yes action=encrypt peer=tunnel-2 src-address=10.1.0.0/16 dst-address=192.168.0.0/24
# Other IPsec specific configuration
I don't know how netmap affects connection tracking, hopefully it just works. But watch out for connection-state=invalid packets being dropped, just in case.
Re: Nat for ipsec with same subnets
Posted: Mon Aug 14, 2023 5:45 am
by torrington
Hi Kentzo, sorry for the late response.
I still haven't found the time to try it, but I wonder two things.
1) What do you mean by *tunnel-1 matching*
2) if the destination address is always 192.168.0.0/24 how would the router will distinguish when I want to go through tunnel 1 from when I want to go through tunnel 2 ?
Thank you.
Re: Nat for ipsec with same subnets
Posted: Mon Aug 14, 2023 7:32 pm
by Kentzo
[1] is related to [2]. You need to come up with a criteria to determine which of the 192.168.2.0 networks you want to reach. Once you have that, the nat rule will change src address to match specific ipsec policy.
Perhaps it is possible to map destination address such as that 192.168.2.0 would appear as either 10.0.0.0 or 10.1.0.0 (depending on the tunnel). However, I'm not sure what firewall rules are needed for that, see the
Packet Flow reference. On input you want to mangle before policy matching and on output you want to mangle after policy matching.
Again, all of these is just an idea.
I see that similar question was
discussed here before, did you try any of the solutions?
Re: Nat for ipsec with same subnets
Posted: Tue Aug 15, 2023 11:00 am
by LdB
We need to understand why you are hellbent on having overlapping subnets ... its a lot easier to not
