Configuring Overlapping Subnets for LAN-to-LAN Auto-Key IKE VPN. Example includes using a MIP on a tunnel interface to do the Network Address Translation (NAT) between sites.
Environment:
- LAN to LAN VPN
- IP networks on both sites are the same
- VPN to a network with equal subnets
- LAN to LAN VPN with Overlapping subnets
- Site to Site VPN with identical address ranges using Juniper Firewalls
Refer to the Solution below on how to configure the Juniper firewalls for this environment, without having to change the IP addresses at each site.
Refer to ScreenOS_VPN_with_Overlapping_Subnets for information on 'Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products' (see page 147 or search the PDF for 'VPN Sites with Overlapping Addresses')
Sample Debug and Snoop capture of a working example:
****** 258971.0: <Trust/loopback.1> packet received [128]******
ipid = 41360(a190), @02958d84
self:192.168.1.1/61700->6.6.6.6/1024,1(8/0)<Root>
flow_decap_vector IPv4 process
loopback.1:192.168.1.1/61700->6.6.6.6/1024,1(8/0)<Root>
no session found
flow_first_sanity_check: in <loopback.1>, out <tunnel.2>
chose interface loopback.1 as incoming nat if.
flow_first_routing: in <loopback.1>, out <tunnel.2>
search route to (loopback.1, 192.168.1.1->6.6.6.6) in vr trust-vr for vsd-0/flag-0/ifp-null
cached route 23 for 6.6.6.6
[ Dest] 23.route 6.6.6.6->6.6.6.6, to tunnel.2
routed (x_dst_ip 6.6.6.6) from loopback.1 (loopback.1 in 0) to tunnel.2
policy search from zone 2-> zone 100
policy_flow_search policy search nat_crt from zone 2-> zone 100
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 6.6.6.6, port 26413, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 2/0/0x1
Permitted by policy 2
## 2019-04-26 02:37:21 : MIP 5.5.5.5 found for host 192.168.1.1 on ifp tunnel.2 (Root)
found reversed mip/vip 5.5.5.5 for 192.168.1.1 (on tunnel.2)
hip xlate: 192.168.1.1->5.5.5.5 at tunnel.2 (vs. tunnel.2)
NHTB entry search not found: vpn none tif tunnel.2 nexthop 6.6.6.6
matched tunnel-id <0x00000005>
choose interface tunnel.2 as outgoing phy if
## 2019-04-26 02:37:21 : No Host found for MIP 6.6.6.6 on ifp tunnel.2
no loop on ifp tunnel.2.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <loopback.1>, out <tunnel.2>
existing vector list 5-842d46c.
Session (id:128044) created for first pak 5
flow_first_install_session======>
input pak_ptr = 1ea46e0, pmtu 1500
use pmtu 1500
ipsec overhead: sap->crypto_ctx.iEspHdrLen = 16, sap->crypto_ctx.icvLen = 12
IPv4 ESP fixed overhead 48
cryptic_data_max_len before round down = pmtu - fxed overhead = 1500 - 48 = 1452
cryptic_data_max_len after round down = 1448
mtu after substracting 2-byte trailer = 1446
total vpn overhead 54
flow got session.
flow session id 128044
flow_main_body_vector in ifp loopback.1 out ifp tunnel.2
flow vector index 0x5, vector addr 0x198f930, orig vector 0x198f930
post addr xlation: 5.5.5.5->6.6.6.6.
going into tunnel 40000005.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000005
(vn2) doing ESP encryption and size =136
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec auth done
ipsec encrypt engine released
ipsec encrypt done
put packet(6bb87a0) into flush queue.
remove packet(6bb87a0) out from flush queue.
**** jump to packet:11.1.1.2->11.1.1.1
packet encapsulated, type=ipsec, len=184
ipid = 47501(b98d), @02958d60
out encryption tunnel 40000005 gw:11.1.1.1
no more encapping needed
send out through normal path.
flow_ip_send: b98d:11.1.1.2->11.1.1.1,50 => ethernet0/2(184) flag 0x3000a0, vlan 0
mac 0010db8d1807 in session
packet send out to 0010db8d1807 through ethernet0/2
2017-12-07: Article reviewed for accuracy. Corrected links that were not working. Article is correct and complete.
2019-05-22: Added the debug and snoop capture of a working example