[Solved] IPSEC VPN with overlapping subnets

DW_Informatica · October 2017

Hi,
we're trying to setup an IPSEC VPN for our home users using a Zyxel USG110, but our internal lan network has a 192.168.1.0/24 IP range, same for the users subnet.
I already followed this guide:
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=016094&lang=EN

My configuration, trying to use SNAT:
===VPN Gateway===
NAT Traversal: enabled

===VPN Connection===
Application Scenario: Remote Access (Server Role)
Local Policy: subnet 192.168.9.0/24
GRE over IPsec: disabled
Mode Config: disabled
Outbound Traffic Source NAT: enabled
     Source: LAN1_subnet 192.168.1.0/24
     Destination: subnet 0.0.0.0/24
     SNAT: subnet 192.168.9.0/24
Destination NAT:
     Original IP: subnet 192.168.9.0/24
     Mapped IP: LAN1_subnet
     Protocol: ALL

===Network Routing===
Incoming: lan1
Source: LAN1_subnet
Destination: subnet 0.0.0.0/24
Next_Hop: VPN Tunnel with the name of the IPSEC connection
DSCP marking: preserve
SNAT: none

Our home users are using Shrew VPN client to connect. Some relevant settings on the Shrew client:
NAT Traversal: enabled
Policy Generation Level: required
Remote Network Resources: 192.168.9.0/24

Phase1&2 are working correctly, the tunnel is enabled so the connection is working, but they can't ping any server on 192.168.1.0/24 subnet.

What's the proper way to configure the USG firewall for overlapping subnets?
Thank you.

CHS · October 2017

It looks you are not following all of the steps in document.
Both of sides have to setup inbound/outbound NAT.

DW_Informatica · October 2017

Sure, but I'm speaking about home users on the other end, they're not equipped with a Zyxel. Do they have to setup it on their home router?

zyman2008 · October 2017

You just need to configure the IPSec NAT setting on USG side.

I test PSK+XAuth and mode config with SHREW 2.2.2
All working fine.

1. On IPSec Phase 1,
I'm suing Aggressive mode.
2. On IPSec Phase 2,
(1) enable mode-config to assign IP address (192.168.123.0/24) for VPN client,
(2) enable IPSec NAT on Inbound Traffic Destination NAT.
3. Add policy for traffic back to VPN client
From any, to 192.168.123.0/24, next-hop:the VPN phase 2 rule, with Auto Destination Address
enabled.

Note:
You need to access the mapped IP address(192.168.9.0/24) as the server IP address instead of the original 192.168.1.0/24

DW_Informatica · October 2017

Zyman, I tried changing my configuration as described by you, but still fails. See the following screenshots (Phase 2 is ok, and Shrew config is the same as above).

Phase 2:

Image: https://us.v-cdn.net/6029482/uploads/editor/t3/rsky69br9pai.png

EDIT: one mistake on the image, on Phase2-> Inbound Traffic-> Source I put the subnet 0.0.0.0/0

Routing:

Image: https://us.v-cdn.net/6029482/uploads/editor/j8/prs5o3hvaw6a.png

Am I missing something? Thanks

zyman2008 · October 2017

Here some comments of your configuration.

Please use a non-overlap address space as IP address pool to the VPN clients.

Image: https://us.v-cdn.net/6029482/uploads/editor/dt/jtpnouiaxrja.jpg

And you don't need to configure source NAT for IPSec inbound traffic.

Image: https://us.v-cdn.net/6029482/uploads/editor/mw/h7wc5vdfkh4e.jpg

And here configuration on my Shrew client,

Image: https://us.v-cdn.net/6029482/uploads/editor/uc/srz2mxaprpxf.jpg

I'm using aggressive mode so that the VPN server side can quick identify the different vpn clients. Configure local ID as DNS name. Each client should configure a different DNS string.

Image: https://us.v-cdn.net/6029482/uploads/editor/50/37cdscq1ylfj.jpg

Image: https://us.v-cdn.net/6029482/uploads/editor/8w/56ozdt5ibrsi.jpg

The phase remote network policy is the mapped subnet - 192.168.9.0/24

DW_Informatica · October 2017

Thanks for your patience Zyman, but still nothing.
Here is my new config based on your suggestions.

===VPN Connection===
Local Policy: subnet 192.168.9.0/24
Mode config address pool: 192.168.10.2-192.168.10.50
Destination NAT: Original IP 192.168.9.0/24, Mapped LAN1_subnet, Protocoll ALL

===Routing===
Still the same.
From any
Destination 192.168.9.0/24 EDIT: 192.168.10.2-192.168.10.50
VPN Tunnel

The Shrew client is configured the same as yours, the only difference is in Authentication, but that phase works.

zyman2008 · October 2017

===VPN Connection===
Mode config address pool: 192.168.10.2-192.168.10.50

===Routing===
Still the same.
From any
Destination 192.168.9.0/24
VPN Tunnel

If the address for vpn clients is 192.168.10.2-192.168.10.50
Then the routing back to the client need to be,
===Routing===
From any
Destination 192.168.10.2-192.168.10.50
VPN Tunnel

DW_Informatica · October 2017

Sorry, I typed the wrong range, it was indeed Destination 192.168.10.2-192.168.10.50 in routing.
The problem persists.

zyman2008 · October 2017

OK, then here some steps for you to troubleshoot the issue.

For example,
The ip address of server behind USG is 192.168.1.10 (which mapped to 192.168.9.10)
1. On USG, open the CLI (via Console or SSH) to trace the packet between vpn client and server
# packet-trace interface lan1 ip-proto icmp
2. Client dial-up the vpn and ping 192.168.9.10
3. Check the packet trace
(1) if you get the client IP to server IP(192.168.1.10) or not
(2) Then check if the server reply to vpn client

DW_Informatica · October 2017

I can ping it. In this scenario:
Internal server: 192.168.1.5
remote vpn client: 192.168.10.3 (under the policy 192.168.9.0/24)
If I ping 192.168.9.5 the firewall correctly redirects to 192.168.1.5, so it works.

Can I redirect 192.168.1.0/24 traffic to the 192.168.9.0/24 ?
Because if I ping a hostname, our local DNS server will call only the 192.168.1.0/24 subnet, so calling servers by hostname always fails.

[Solved] IPSEC VPN with overlapping subnets

Comments

Categories

Security Help Center