Site-to-Site VPN with overlapping network
I have 3 sites joined via site-to-site VPNs as follows:
Site A - 192.168.1.192/26
Site B - 192.168.168.0/26
Site C - 192.168.1.192/26, 192.168.2.192/26
Site B to Site A (192.168.168.0/26 - 192.168.1.192/26)
Site B to Site C (192.168.168.0/26 - 192.168.2.192/26)
Due to a partial move of services from A to C and needing to keep the same network I have ended up with two sites with the same network (192.168.1.192/26).
The challenge is how can I add the 192.168.1.192/26 to the site to site policy on B to C?
My guess is a typical site-to-site policy cannot be used. Also, I thought I could workaround this by splitting the subnet but I need the full range and had to abandon that idea.
@md3895 use route based VPN (Tunnel interface) and route some IP's via site A and Some Via Site C, I presume if you are moving the devices that some are on A and others on C ? the only other issue you will have is that the devices which are on the same subnet will need their routing tables updated manually to say the other devices go via the gateway IP otherwise they will look locally via the switches for the addresses
you can use IP hosts, Ranges and Networks via the routed VPN method, whereas the Policy mode VPN doesn't like ranges
@preston Yes, some devices are still at A and others at C.
I am working with 3 different and distant generations of SonicWalls and Site B does not support route-based tunnel interfaces. However, I could do a tunnel interface between A and C. Would I then be able to route traffic from B to A to C?
@md3895 which Sonicwall device doesn't do routed VPN? you should be ok from Gen5 5.9 onwards, if the firewall doesn't support it you could set up a VPN from A to B as B knows how to do the routing, it should work.
on site A and C though you will need to make sure that the 192.168.1.192/26 gateway IPs are different so you can route to each of the Hosts or ranges via the others IP address for the Static routes on the endpoints, for example if 192.168.1.200 is on site A and its gateway IP is 192.168.1.193 then
on a PC on Site C you would need to add a static route in to the route table like below, you would also have to do the same on Site A for the devices situated on Site C going via its Gateway IP,
route -p ADD 192.168.1.200 MASK 255.255.255.192 192.168.1.193
obviously on the Site where you change the Gateway IP you will need to set the devices which are there to use it's new IP as the gateway as I presume at the moment all the devices on both the A & C networks are using the same Gateway IP
hope all that makes sense
@md3895 this scenario is IMHO creating way to much overhead when forced into the current VPN scenario. Wouldn't it be easier to have 192.168.1.192/26 configured on each location and placing a Mikrotik Router at each end. With RouterOS you can provide a so called Ethernet-over-IP Tunnel
Depending on the speed you need this is probably done with €60 per location.
This is at least how I would tackle it, everything else is to much hassle.
Just my € .02 - YMMV.
@preston Thank you for the input. The unsupported firewall predates 5.9. I understand the overall concept and yes the devices at Site A and C use the same Gateway IP. I will hash it out though.
@BWC Agreed, it is a lot of overhead which was expected given the setup but a Mikrotik might just be the solution. We already have an Ethernet-over-IP tunnel on another network so this should be trivial.
I should have feedback in a few days. Thank you both for pointing me in the right direction.
Hi @md3895 ,
check this link.