Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring a LAN-to-LAN VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products.



Article ID: KB5346 KB Last Updated: 28 May 2019Version: 11.0
Configuring Overlapping Subnets for LAN-to-LAN Auto-Key IKE VPN.  Example includes using a MIP on a tunnel interface to do the Network Address Translation (NAT) between sites.
  • LAN to LAN VPN
  • IP networks on both sites are the same
  • VPN to a network with equal subnets
  • LAN to LAN VPN with Overlapping subnets
  • Site to Site VPN with identical address ranges using Juniper Firewalls
Refer to the Solution below on how to configure the Juniper firewalls for this environment, without having to change the IP addresses at each site.

Refer to ScreenOS_VPN_with_Overlapping_Subnets  for information on 'Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products' (see page 147 or search the PDF for 'VPN Sites with Overlapping Addresses')

Sample Debug and Snoop capture of a working example: 

 ****** 258971.0: <Trust/loopback.1> packet received [128]******

  ipid = 41360(a190), @02958d84
  flow_decap_vector IPv4 process
  no session found
  flow_first_sanity_check: in <loopback.1>, out <tunnel.2>
  chose interface loopback.1 as incoming nat if.
  flow_first_routing: in <loopback.1>, out <tunnel.2>
  search route to (loopback.1,> in vr trust-vr for vsd-0/flag-0/ifp-null
  cached route 23 for
  [ Dest] 23.route>, to tunnel.2
  routed (x_dst_ip from loopback.1 (loopback.1 in 0) to tunnel.2
  policy search from zone 2-> zone 100
 policy_flow_search  policy search nat_crt from zone 2-> zone 100
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip, port 26413, proto 1)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 2/0/0x1
  Permitted by policy 2
## 2019-04-26 02:37:21 : MIP found for host on ifp tunnel.2 (Root)
  found reversed mip/vip for (on tunnel.2)
  hip xlate:> at tunnel.2 (vs. tunnel.2)

  NHTB entry search not found: vpn none tif tunnel.2 nexthop
  matched tunnel-id <0x00000005>
  choose interface tunnel.2 as outgoing phy if
## 2019-04-26 02:37:21 : No Host found for MIP on ifp tunnel.2
  no loop on ifp tunnel.2.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <loopback.1>, out <tunnel.2>
  existing vector list 5-842d46c.
  Session (id:128044) created for first pak 5
 input pak_ptr = 1ea46e0, pmtu 1500
 use pmtu 1500
 ipsec overhead: sap->crypto_ctx.iEspHdrLen = 16, sap->crypto_ctx.icvLen = 12
 IPv4 ESP fixed overhead 48
 cryptic_data_max_len before round down = pmtu - fxed overhead = 1500 - 48 = 1452
 cryptic_data_max_len after round down = 1448
 mtu after substracting 2-byte trailer = 1446
 total vpn overhead 54
  flow got session.
  flow session id 128044
  flow_main_body_vector in ifp loopback.1 out ifp tunnel.2
  flow vector index 0x5, vector addr 0x198f930, orig vector 0x198f930
  post addr xlation:>
  going into tunnel 40000005.
  flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000005
(vn2)  doing ESP encryption and size =136
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec auth done
ipsec encrypt engine released
ipsec encrypt done
        put packet(6bb87a0) into flush queue.
        remove packet(6bb87a0) out from flush queue.

**** jump to packet:>
  packet encapsulated, type=ipsec, len=184
  ipid = 47501(b98d), @02958d60
  out encryption tunnel 40000005 gw:
  no more encapping needed
  send out through normal path.
  flow_ip_send: b98d:>,50 => ethernet0/2(184) flag 0x3000a0, vlan 0
  mac 0010db8d1807 in session
  packet send out to 0010db8d1807 through ethernet0/2

Modification History:
2017-12-07: Article reviewed for accuracy. Corrected links that were not working. Article is correct and complete.
2019-05-22: Added the debug and snoop capture of a working example
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search