HPE Community
Comware Based
1820261 Members
3051 Online
109622 Solutions
New Discussion

Client initiated l2tp/ipsec with overlapping subnets on client and local lan

 
Thomas_N-Wright
Visitor

‎10-25-2020 01:43 PM

‎10-25-2020 01:43 PM

Client initiated l2tp/ipsec with overlapping subnets on client and local lan

Hi,

I have configured Client initiated l2tp/ipsec on MSR 3012 and I can get traffic over the tunnel.
The problem comes when client and local subnet(vlan800(192.168.1.0/24)) have overlapping IP´s.

Client get IP from ip-pool through Virtual-interface but has the same IP as the local lan(vlan800).

I have tried to set up bidirectional NAT on the Virtual-Template interface, but cannot seem to get it right..

There are several clients on the local lan(vlan800) that has to be reachable from the remote client.

Any suggestions on how to best acheive this?

Many thanks!

0 Kudos
3 REPLIES 3
Ivan_B
HPE Pro

‎10-28-2020 07:21 AM - edited ‎10-28-2020 07:23 AM

‎10-28-2020 07:21 AM - edited ‎10-28-2020 07:23 AM

Re: Client initiated l2tp/ipsec with overlapping subnets on client and local lan

Hi @Thomas_N-Wright !

Why do you use overlapping addresses in the ip pool used in Virtual-template? If I remember correctly, L2TP/IPSec clients should be on a separate subnet, different from local network range.

Bidirectional NAT seems to be the tool to use if you have two sites with overlapping local networks - clients in 192.168.1.0/24 should think the remote servers are outside this subnet, and servers should think those clients are coming from subnet different from 192.168.1.0/24, otherwise it will treat them as local, e.g. will be sending ARPs instead of pushing the traffic through the VPN router...https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=c05370360 , page 172 has an example.

However, in your case with VPN you don't have to use overlapping networks, so if I am right the solution should be to use dedicated ip pool for VPN clients.

 

I am an HPE employee

Accept or Kudo

0 Kudos
Ivan_B
HPE Pro

‎10-28-2020 07:32 AM - edited ‎10-28-2020 07:33 AM

‎10-28-2020 07:32 AM - edited ‎10-28-2020 07:33 AM

Re: Client initiated l2tp/ipsec with overlapping subnets on client and local lan

Hi @Thomas_N-Wright !

This guide might be interesting for you - https://community.arubanetworks.com/aruba/attachments/aruba/EducationANZ/62/1/RWL%20TechNote%20-%20Comware%20Routers%20with%20L2TP%20VPN%20v1.1.pdf

I am an HPE employee

Accept or Kudo

0 Kudos
Thomas_N-Wright
Visitor

‎10-31-2020 01:54 AM

‎10-31-2020 01:54 AM

Re: Client initiated l2tp/ipsec with overlapping subnets on client and local lan

Hi Ivan_B,

Thank you for the replay.

The ip-pool is not overlapping with any of the subnets, but remote computer placed in it´s own lan, with for inctance 192.168.1.10/24 as IP, will not be able to reach local server with IP 192.168.1.50/24 event if it gets 192.168.90.10 from the ip-pool.
As you said, packets will be sent locally and not over the VPN.

Remote Client - L2TP LNS(MSR router) - Server
192.168.1.10       - 10.10.10.10                        - 192.168.10.50

I have resolved it by using NAT server on the VT interface, and "pointed" to the local server:

interface Virtual-Template
 ppp authentication-mode chap ms-chap-v2 domain remoteuser
 remote address pool remote 
 ip address 192.168.90.1 255.255.255.0
 nat server global 192.168.90.50 inside 192.168.1.50 reversible

PS: I cannot open the links you shared

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.