NAT ipsec VPN tunnel

[tstaba]

Hi guys,
New at opnsense here. I have a new client that is using opnsense. On my side I have Sophos XG appliance.
The issue is that the customers from before are using the same local subnet as is this new customer.
We need to create a NAT VPN tunnel.

New customer ( Customer A) is using 192.168.0.0/21 subnet.
That interferes with already existing 192.168.0.0/24 on another customer.

We would like to use 172.24.0.0/24 subnet to connect to new customer.
Bare in mind, there are alreday cca 80 hosts in this 192.168.0.0/21 subnet.

We need to be able to acces those clients with their existing IP addresses (for example 192.168.6.12) throught the vpn tunnel .

Can anyone help?

[advanced-user]

Dear tstaba,


what you need to do is to use subnets for the unique routing between both sites with so far unused subnets.

So eg. for Site A you need to imagine 192.168.6.0/24 is eg. 192.168.20.0/24 (but only for the transfer via IPsec and vice versa): So for Site A use for example 192.168.20.0/24 and for site B 192.168.21.0/24;

In OPNsense then you need to BINAT for your ipsec traffic. In the IPsec config you need to assign these subnets as local and remote network, on site A: local: 192.168.20.0/24 remote: 192.168.21.0/24 and on site B: local 192.168.21.0/24 remote 192.168.20.0/24

via BINAT you need to SNAT (NETMAP) your client-IP (192.168.6.x) to the fake-net (192.168.20.x). This will then be routed via ipsec.