Page 1 of 1

Same network on both sides of an IPsec tunnel (11.x)

Posted: 02 Dec 2009, 11:13
by Peter
This How-to applies to:
  • Clavister cOS Core 11.x

I want to establish an IPsec tunnel to a remote office, but the local network there conflicts with the local network at the central office. How can i solve this problem without changing the network on either side?


This is possible to solve by address translating the network on both sides to something else when these networks need to talk to each other. Lets say that the conflicting network is, we create a "fake" network that only exists between these 2 sites. So instead of connecting to the remote host we connect to This modification can be done automatically.

How to accomplish this.


Main Office:
  • Local Network:
    Externa IP:
Remote Office:
  • Local Network:
    External IP:
Main Office IPsec:
  • Name: Stockholm_IPsec
    Local Network:
    Remote Network:
    Remote Endpoint:
    Keep "Add route statically" enabled
Main Office route:
  • [core]
Remote Office IPsec:
  • Name: Gothenborg_IPsec
    Local Network:
    Remote Network:
    Remote Endpoint:
    Keep "Add route statically" enabled
Remote Office route:
  • [core]
Main Office Policy Outbound:
  • Action:Allow
    Destination Interface:Stockholm_IPsec
    Destination Network:"Fake_Remote_Network"
    Source Translation:Sat
    Address Action:Transposed
    Base IP Address:
Main Office Policy Inbound:
  • Action:Allow
    Destination Interface:any
    Destination Network:"Fake_Local_Network"
    Source Translation:Nat
    Address Action:Outgoing Interface Address
    Destination Translation:Sat
    Address Action:Transposed
    Base IP Address:
Same_net_policies.png (13.54 KiB) Viewed 4512 times
Note: You can not select i.e as Source or destination network on the
SAT rule's address translation tab, you need to type and it will translate
correctly from the correct source IP and destination IP. becomes etc.

Note-2: The reason why we [Core] route the 172.16.x.x network is because this network will not exist behind any physical interface. It exists in the Core only (so to speak).

The same rules but the other way around on the remote office.

This enables the same network to still exist on both sides, when clients want to connect to hosts on beyond the IPsec tunnel they use the 172.16.x.x address instead of 192.168.x.x and thus we have bypassed the problem and there is no need to change the local network on either side.

Example flow:

Host on the Main office wants to reach an FTP server on the Remote Office. This FTP server has the IP on the remote office. Host then connects to which will traverse the IPsec tunnel then address translated from to in order to match the machine on the remote office local network.

Re: Same network on both sides of an IPsec tunnel (11.x)

Posted: 29 Nov 2016, 15:40
by mape
Updated 2016-11-29