NATing LAN2, but not IPSec tunnel with the same subnet range

Started by ivoruetsche, Today at 12:03:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 12:03:34 PM
Hi

I have the problem, that we have two subnet with destination 192.168.2.0/24, one is direct connected to OPNsense (26.01), the other via IPSec:

LAN1: 10.16.5.254/24
LAN2: 192.168.2.3/24
IPSec destination: 192.168.2.0/24

The hosts in the LAN2 subnets should see the hosts from LAN1 with the GW IP 192.168.2.3, reachable from 10.16.5.0 subnet with 192.168.22.0 and no communication back to 10.16.5.0, so only one-way.

The hosts on remote subnet via IPSec must be reachable from LAN1, but not from LAN2 with 192.168.2.0 addresses, also from the remote 192.168.2.0 subnet, the 10.16.5.0 hosts must be reachable.

I try 1:1 NAT, Outgoing NAT, Destination NAT and some combinations of then, Filter roles with and without gateways, no luck. At the most of the configurations, the traffic goes via IPSec, but not to LAN2 or was not NATed.

Any hints are welcome.

Thanks a lot
Ivo
Today at 12:25:39 PM #1
Renumber one of the locations.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 01:33:10 PM #2 Last Edit: Today at 01:36:35 PM by ivoruetsche
:-) Hehe, would be nice if I can do that.

This is only the little top of the the whole network. Many routes, many tunnels at all the gateways, crossing the whole Europe...
Today at 03:21:22 PM #3
You can translate (nat) the remote subnet into something else, but this must be done on the remote site.

With overlapping subnets locally and in the IPSec policy, routing is not going to work at all.
Today at 05:07:34 PM #4
Quote from: ivoruetsche on Today at 01:33:10 PM:-) Hehe, would be nice if I can do that.

This is only the little top of the the whole network. Many routes, many tunnels at all the gateways, crossing the whole Europe...
Then NOW is THE MOMENT to fix poor network design decisions and make sure you won't encounter issues in the future! ;)

You could try some small adjustments to the DHCP Pool/Subnet size and/or try Split-Horizon OSPF Routing options, but I am not sure if it would help at all to be honest...
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 06:05:38 PM #5

It's a bit frustrated to get such replays where are not that constructive. I wouldn't post and invest a lot of try and error time if the solution is that easy like to change the subnet.

This has a reason why I can't change the numbering and sometimes it's just a fact.

Thanks a lot

Ivo
Print
Go Up Pages1
User actions