Policy Based IPSec Site to Site VPN with Overlapping Subnet
Zyxel Employee
Topology & Scenario:
Your headquarter office may have many IPsec VPN tunnels with Branch, However, all branch offices have the same subnet for example 192.168.11.0/24.
To meet the application, need a fake subnet represent for each Branch which means the headquarter only know the fake subnet.
For example:
192.168.100.0/24 → BranchA
192.168.101.0/24 → Branch B
Purpose
There may be many application scenarios with different settings.
The following article sets the settings according to the following goals.
1)The 192.168.11.0/24 can access HQ service 192.168.1.33
2)192.168.1.33 can access 192.168.100.0/24
The settings of HQ:
The simple IPSec settings, remote policy is the fake subnet rather than real.
The settings of Branch:
The simple IPSec settings, local policy is the fake subnet.
Outbound SNAT:
To make traffic from 192.168.11.0/24 can source translate to 192.168.100.0 since HQ site only know the fake subnet.
Destination NAT:
To make traffic to 192.168.100.0/24 can destination tranlate to 192.168.11.0/24
The routing make src:192.168.11.0/24 dst:192.168.1.0/24 force goto VPN tunnel.
otherwise, traffic to 192.168.1.0 won't reach to tunnel due to the phase2 policy.
Verification
1)The 192.168.11.0/24 can access HQ service 192.168.1.33
2)192.168.1.33 can access 192.168.100.0/24
Categories
- All Categories
- 434 Beta Program
- 2.7K Nebula
- 174 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 418 USG FLEX H Series
- 297 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 43 Wireless Ideas
- 6.7K Consumer Product
- 269 Service & License
- 416 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 87 Security Highlight