notempty
Connecting VPN networks to the same broadcast domains (IP ranges)
Last adaptation to the version: 11.8.7
- Changes
- Zone of remote network corrected
- layout adjustment
Previous versions: 11.7
If the same subnets are used on both sides of a VPN connection, it is normally not possible to set up this connection.
In addition, it can happen that the same networks are set up behind different remote peers.
With the NAT type NETMAP and auxiliary networks (map network) that are not set up on any of the remote peers to be connected, these connections can still be set up without completely changing the subnet on one of the sides.
NATing complete subnets with NETMAP
Preparation
Head office & Branch office
To use the NETMAP function the following conditions have to be observed:
- The subnets of the objects involved in NETMAP must all have the same size, for example all /24.
- All objects involved must have entered a defined network IP address. So no interfaces may be selected'.
Check the network object of the internal network and if necessary change to Address by activating the radio button before Address and entering the network address with the corresponding subnet mask in the field. In this example we have the network 172.16.3.0/24 on both sides.
Initial conditions
Head office and branch have the same subnetwork
In this case, the mapping must be set up on both sides of the connection.
Local network | Public IP | Netmap | |
Head office | 172.16.3.0/24 | 192.0.2.192 | 10.0.1.0/24 |
Branch office | 172.16.3.0/24 | 192.0.2.193 | 10.0.2.0/24 |
The connection is to be established via IPSec.
Create network objects
Two network objects must be created in the head office with networks that are neither set up in the head office nor in the branch office.
Head office
→ Network Objects →
The network object for the (remote) Branch MapNet must be of Type .
- For IPSec-connections, the network object must be in the Zone .
- For SSL VPN connections, a connection must be created first.
This creates a zone VPN-SSL-Connection name.
The network object must then be created with this zone.
In our example, the network object receives the network address 10.0.2.0/24
The network object for the (own) Mapnet of the central office must be located in the zone of the internal network and is given the network address 10.0.1.0/24 in our example.
Branch office
Two network objects are also created on the branch side.
There is the network 10.0.1.0/24, the map network of the central office located in the Zone and the network 10.0.2.0/24, the map network of the branch office created with the zone of the internal network .
Creating a NETMAP Rule
Port filter rules must be created on each page, depending on the usage scenario.
On the side of the Head office for outgoing network traffic | |
---|---|
Source |
|
Destination |
|
Service |
|
[–] NAT Type |
|
network object |
|
On the side of the Head office for network traffic initiated by the remote peer | |
Source |
|
Destination |
|
Service |
|
[–] NAT Type |
No NAT of the type NETMAP is needed for this any more |
On the side of the Branch office for outgoing network traffic | |
Source |
|
Destination |
|
Service |
|
[–] NAT Type |
|
network object |
|
On the side of the Branch office for network traffic initiated by the remote peer | |
Source |
|
Destination |
|
Service |
|
[–] NAT Type |
No NAT of the type NETMAP is needed for this any more |
Create VPN connection
Head office
Create an IPSec site to site VPN connection, as described in the Wiki in the menu with the button.
- In step 3, the local map network must be released.
- in step 4 the remote Mapnet.
Branch office
Create an IPSec site to site VPN connection, as described in the Wiki in the menu with the button.
- In step 3, the local map network must be released.
- in step 4 the remote Mapnet.
Accessibility of hosts of the remote station
A host with the IP address 172.16.3.10 in the branch is addressed from the head office with the IP address 10.0.2.10.
A host with the IP address 172.16.3.120 in the head office is addressed from the branch office with the IP address 10.0.1.120.
Several branches have an identical subnetwork
Initial conditions
Local network | Public IP | netmap | |
Head office | 172.16.0.0/24 | 192.0.2.192 | not required |
Branch office 1: | 172.16.3.0/24 | 192.0.2.193 | not required |
Branch office 2: | 172.16.3.0/24 | 192.0.2.194 | 10.0.1.0/24 |
Mapping is only set up on branches that use the same network as already has been set up on a VPN connection. No mapping is required in the head office if the internal network of the head office differs from that of the branches. One existing network can also be used without mapping in a branch.
Create network objects
In Branch office 1 (and in any other branch that uses an otherwise unused subnet) an IPSec network object is set up for the head office.
The network object for the network of the remote terminal must be located in the zone vpn-ipsec. In our example, it has the network address 172.16.0.0/24.
In the Branch office 2 (and in each additional branch that uses an already used subnet), a second network object is created for its own subnet, which is mapped.
The Mapnet must not be used in the branch, in the head office, or in any of the other branches that are connected to the head office via VPN connections.
The network object for the map network in the branch office must be located in the zone of the internal network and in our example is given the network address 10.0.1.0/24. (Other branches get a different Mapnet at this point!)
Creating a NETMAP Rule
Port filter rules in branch 2 (and in any other branch that uses an already used subnet)
On the side of the Branch office 2 | |
---|---|
Source |
|
Destination | |
Service |
|
[–] NAT Type |
|
network object |
Create VPN connection
Create an IPSec site to site VPN connection, as described in the Wiki in the menu with the button.
Branch office 1
- In step 3, the local network (without mapping) must be released.
In the example:» ✕172.16.3.0/24
Branch office 2 (and other stores, if applicable)
- In step 3 the local Mapnet must be released.
In the example: » ✕10.0.1.0/24
each branch
- In step 4, the direct remote network of the head office (without mapping) is released.
In the example: » ✕172.16.0.0/24
Head office
- A connection is required for each branch.
- In step 3, the local network must be released.
In the example: » ✕172.16.0.0/24 - In step 4, the mapped remote network of the corresponding branch is released.
In the example: » ✕10.0.1.0/24
Portfilter rules
Two options are available:
- Head office & each branch
Menu IpsecTraffic} → Rule Acceppt On
In this case rules are created in the background, which allow all services for all computers on both sides. (Default)
- Recommended: Custom port filter rules that only allow services that are needed.
To do this, the IpsecTraffic Accept option in the -menu, section IpsecTraffic is to be disabled Off and port filter rules are created manually.
Example:
On the side of the Head office | |
---|---|
Source |
(Map network of the VPN remote peer) |
Destination |
|
Service |
|
A connection is required for each branch. No NAT of the type NETMAP is needed for this any more . | |
On the side of the Branch office | |
Source |
(head office network) |
Destination |
|
Service |
Accessibility of hosts of the remote station
A host with the IP address 172.16.3.10 in branch 1 is addressed from the head office with exactly this IP address (172.1.6.3.10).
A host with the IP address 172.16.3.10 in branch 2 is addressed from the head office with the mapped IP address 10.0.1.10.
A host with the IP address 172.16.0.120 in head office is addressed from the branch office with the IP address 172.16.0.120.