pfSense Gold Subscription

Author Topic: How to NAT to avoid IP conflict when using VPN?  (Read 154 times)

0 Members and 1 Guest are viewing this topic.

Offline buomque

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
How to NAT to avoid IP conflict when using VPN?
« on: December 29, 2017, 06:50:48 pm »
Hi guys,

I have set up VPN for 3 locations:

Location #1: VPN server
Location #2: networks 192.168.25.0/24       (only 5 servers at this location 192.168.25.2-6)
Location #3: networks 192.168.25.0/24       (only 10 servers at this location 192.168.25.100-109)

I cannot change IP for any server. Is there a way to NAT all 5 IP in location#2, so that my VPN server can access all 15 servers at location#2 and location#3?

Thanks,

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9589
  • Karma: +1087/-309
    • View Profile
Re: How to NAT to avoid IP conflict when using VPN?
« Reply #1 on: December 29, 2017, 09:27:50 pm »
NAT must be done at location 2 or location 3.

If the colliding subnet was on your side, you could do it, but it would require them to change the IPsec on their end.

You can try a phase 2 to location 2 with a remote network of 192.168.25.0/29 and a phase 2 at location 3 of 192.168.25.96/28.

But if the other side initiates and attempts to establish a P2 for the /24 it will fail. If you initiate and the other side is configured for /24 it might accept it and it might not. If you can get them to change the phase 2 settings to match those netmasks it should work just fine.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline buomque

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: How to NAT to avoid IP conflict when using VPN?
« Reply #2 on: January 05, 2018, 07:50:49 pm »
Hi Derelict,

As I add more location to VPN, I find location 4 and location 5 are both using 192.168.214.0/24 block. Each location has a lot of servers using this IP block. Is there a way to NAT the whole IP block in location 4 to a new IP block, one-to-one IP NAT (for example 192.168.214.99 <--> 10.10.7.99)? The objective is to be able to reach each server at both locations.

Thank you,

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9589
  • Karma: +1087/-309
    • View Profile
Re: How to NAT to avoid IP conflict when using VPN?
« Reply #3 on: January 05, 2018, 08:44:04 pm »
That's pretty unlucky.

Yes, but the NAT has to be done at that location. For them to talk to each other it has to be done at both locations.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM