topic Re: Site to Site VPN with overlapping subnet in General Topics

Site to Site VPN with overlapping subnet

gavin211 — Thu, 23 Dec 2021 10:47:34 GMT

Hello Experts,

I am facing some issue with overlapping subnet, hope to be able to get some solution from this forums.

Below are what we current having / using

Star topology VPN

Main Site (Checkpoint) - 10.0.0.0/24

Remote Site A (Checkpoint)- 192.168.2.0/24, 192.168.3.0/24 (Configured IPSec Tunnel)

Remote Site B (Fortinet) - 192.168.0.0/21 (Having issue configuring IPSec Tunnel)

I am having issue trying to establish a IPSec Tunnel with remote site B, most likely due to the overlapping of subnet.

I would like to seek for advise on how can we move forward to solve this issue.

Thanks in advance.

Re: Site to Site VPN with overlapping subnet

_Val_ — Thu, 23 Dec 2021 11:55:57 GMT

NAT or change the Remote A subnet

Re: Site to Site VPN with overlapping subnet

gavin211 — Thu, 23 Dec 2021 12:06:27 GMT

Changing remote A subnet will not be possible. Is there a guide for NAT between site to site VPN?

Re: Site to Site VPN with overlapping subnet

the_rock — Thu, 23 Dec 2021 12:51:19 GMT

@_Val_ is absolutely right. Now, personally, and this is just me, what I would do, just to be sure is maybe do quick vpn debug on CP side to confirm, but yea, it appears overlapping subnets are problem, for sure. 192.168.0.0/21 would definitely encompass 192.168.2.0/24 network. You can run below command on CP firewall and see what it shows.

vpn overlap_encdom

Re: Site to Site VPN with overlapping subnet

_Val_ — Thu, 23 Dec 2021 13:15:32 GMT

This is a classic case, for every vendor running IPSec VPN S2S tunnels. There are plenty explanations on how to fix it with NAT. For example, https://www.practicalnetworking.net/stand-alone/vpn-overlapping-networks/