[Solved] IPSEC VPN with overlapping subnets

DW_Informatica
DW_Informatica Posts: 10
First Comment Fourth Anniversary
 Freshman Member
edited April 2021 in Security
Hi,
we're trying to setup an IPSEC VPN for our home users using a Zyxel USG110, but our internal lan network has a 192.168.1.0/24 IP range, same for the users subnet.
I already followed this guide:
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=016094&lang=EN

My configuration, trying to use SNAT:
===VPN Gateway===
NAT Traversal: enabled

===VPN Connection===
Application Scenario: Remote Access (Server Role)
Local Policy: subnet 192.168.9.0/24
GRE over IPsec: disabled
Mode Config: disabled
Outbound Traffic Source NAT: enabled
     Source: LAN1_subnet 192.168.1.0/24
     Destination: subnet 0.0.0.0/24
     SNAT: subnet 192.168.9.0/24
Destination NAT:
     Original IP: subnet 192.168.9.0/24
     Mapped IP: LAN1_subnet
     Protocol: ALL

===Network Routing===
Incoming: lan1
Source: LAN1_subnet
Destination: subnet 0.0.0.0/24
Next_Hop: VPN Tunnel with the name of the IPSEC connection
DSCP marking: preserve
SNAT: none

Our home users are using Shrew VPN client to connect. Some relevant settings on the Shrew client:
NAT Traversal: enabled
Policy Generation Level: required
Remote Network Resources: 192.168.9.0/24

Phase1&2 are working correctly, the tunnel is enabled so the connection is working, but they can't ping any server on 192.168.1.0/24 subnet.

What's the proper way to configure the USG firewall for overlapping subnets?
Thank you.



«1

Comments

  • CHS
    CHS Posts: 159
    First Answer First Comment Friend Collector Fifth Anniversary
     Master Member
    It looks you are not following all of the steps in document.
    Both of sides have to setup inbound/outbound NAT.
  • DW_Informatica
    DW_Informatica Posts: 10
    First Comment Fourth Anniversary
     Freshman Member
    Sure, but I'm speaking about home users on the other end, they're not equipped with a Zyxel. Do they have to setup it on their home router?
  • zyman2008
    zyman2008 Posts: 168
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    edited October 2017
    You just need to configure the IPSec NAT setting on USG side.

    I test PSK+XAuth and mode config with SHREW 2.2.2
    All working fine.

    1. On IPSec Phase 1,
        I'm suing Aggressive mode. 
    2. On IPSec Phase 2,
        (1) enable mode-config to assign IP address (192.168.123.0/24) for VPN client,
        (2) enable IPSec NAT on Inbound Traffic Destination NAT.
    3. Add policy for traffic back to VPN client
        From any, to 192.168.123.0/24, next-hop:the VPN phase 2 rule, with Auto Destination Address
        enabled.

    Note:
    You need to access the mapped IP address(192.168.9.0/24) as the server IP address instead of the original 192.168.1.0/24

  • DW_Informatica
    DW_Informatica Posts: 10
    First Comment Fourth Anniversary
     Freshman Member
    edited October 2017
    Zyman, I tried changing my configuration as described by you, but still fails. See the following screenshots (Phase 2 is ok, and Shrew config is the same as above).

    Phase 2:

    EDIT: one mistake on the image, on Phase2-> Inbound Traffic-> Source I put the subnet 0.0.0.0/0

    Routing:


    Am I missing something? Thanks
  • zyman2008
    zyman2008 Posts: 168
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    Here some comments of your configuration.

    Please use a non-overlap address space as IP address pool to the VPN clients.


    And you don't need to configure source NAT for IPSec inbound traffic.
     
    And here configuration on my Shrew client,
      

    I'm using aggressive mode so that the VPN server side can quick identify the different vpn clients. Configure local ID as DNS name. Each client should configure a different DNS string. 
      

    The phase remote network policy is the mapped subnet - 192.168.9.0/24


  • DW_Informatica
    DW_Informatica Posts: 10
    First Comment Fourth Anniversary
     Freshman Member
    edited October 2017
    Thanks for your patience Zyman, but still nothing.
    Here is my new config based on your suggestions.

    ===VPN Connection===
    Local Policy: subnet 192.168.9.0/24
    Mode config address pool: 192.168.10.2-192.168.10.50
    Destination NAT: Original IP 192.168.9.0/24, Mapped LAN1_subnet, Protocoll ALL

    ===Routing===
    Still the same.
    From any
    Destination 192.168.9.0/24 EDIT: 192.168.10.2-192.168.10.50
    VPN Tunnel

    The Shrew client is configured the same as yours, the only difference is in Authentication, but that phase works.

  • zyman2008
    zyman2008 Posts: 168
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    ===VPN Connection===
    Mode config address pool: 192.168.10.2-192.168.10.50


    ===Routing===
    Still the same.
    From any
    Destination 192.168.9.0/24
    VPN Tunnel
    If the address for vpn clients is 192.168.10.2-192.168.10.50
    Then the routing back to the client need to be,
    ===Routing===
    From any
    Destination 192.168.10.2-192.168.10.50
    VPN Tunnel

  • DW_Informatica
    DW_Informatica Posts: 10
    First Comment Fourth Anniversary
     Freshman Member
    Sorry, I typed the wrong range, it was indeed Destination 192.168.10.2-192.168.10.50 in routing.
    The problem persists.
  • zyman2008
    zyman2008 Posts: 168
    25 Answers First Comment Friend Collector Fifth Anniversary
     Master Member
    OK, then here some steps for you to troubleshoot the issue.

    For example,
    The ip address of server behind USG is 192.168.1.10 (which mapped to 192.168.9.10)
    1. On USG, open the CLI (via Console or SSH) to trace the packet between vpn client and server
        # packet-trace interface lan1 ip-proto icmp
    2. Client dial-up the vpn and ping 192.168.9.10
    3. Check the packet trace
        (1) if you get the client IP to server IP(192.168.1.10) or not
        (2) Then check if the server reply to vpn client

  • DW_Informatica
    DW_Informatica Posts: 10
    First Comment Fourth Anniversary
     Freshman Member
    I can ping it. In this scenario:
    Internal server: 192.168.1.5
    remote vpn client: 192.168.10.3 (under the policy 192.168.9.0/24)
    If I ping 192.168.9.5 the firewall correctly redirects to 192.168.1.5, so it works.

    Can I redirect 192.168.1.0/24 traffic to the 192.168.9.0/24 ?
    Because if I ping a hostname, our local DNS server will call only the 192.168.1.0/24 subnet, so calling servers by hostname always fails.

Security Highlight