Subnet issue with IPSec

[mahesh.mvk]

Below is an example of the IPSec tunnel i implemeted for a customer from my company.

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key XXXXXXXX

access-list Voice extended permit ip host (Company IP Range) y.y.y.y

crypto map vpn 260 match address Voice
crypto map vpn 260 set peer x.x.x.x
crypto map vpn 260 set transform-set 3DES-MD5
crypto map vpn 260 set security-association lifetime seconds 86400

I have seen in everywhere that the Customer Peer x.x.x.x and the customer subnet/host y.y.y.y are always of different sub nets? Is there any reason behind it? would there be a problem if they are of the same subnet?

 

[Martin Wilson]

They are two different things.

The peer address is the 'outside' IP address of their gateway. This is you telling your router where to go to to reach the customer.

The customer subnet (also known as 'interesting traffic') is the LAN subnet on the customer side. This is where you specify what part of your LAN side talks to their LAN.

 

[mahesh.mvk]

Yes agreed Martin. Thanks for your reply, but my question is what is they are configured to be off the same subnet? How will the tunnel behave? Will it establish the tunnel in the first place? And the reason?

 

[lif_andi]

Well, you can have them the same, but the tunnel will only be established if the 'interesting traffic' is destined for that IP. If you point a tunnel towards a subnet behind a routable IP address, the tunnel will have no way of knowing where to go, or rather, it will look for the address it's pointed to which then isn't there, because the routable IP address is not listed anywhere... hope this makes sense.

 

[brshoemak]

To simplify what lif_andi said: Two networks with the same IP addressing scheme, say both are 192.168.10.0 /24. A router will believe that it is the end-all-be-all of that particular network. So if you try to ping a host on the other side of your VPN, your router will eventually see the ping and say "Well, it looks like this isn't on my network." That's the end of those packets.

When you have a different subnet, the router goes "I don't have this on my network, but here's a place that does" and sends it on its merry way across the VPN. This is a gross simplification, but gives the general gist of things.

Actually, on Cisco routers/firewalls you usually have to ping a host on the other side for the VPN to even come up - or provide some other kind of interesting traffic.

 

[SecurityTheatre]

Yes agreed Martin. Thanks for your reply, but my question is what is they are configured to be off the same subnet? How will the tunnel behave? Will it establish the tunnel in the first place? And the reason?

If you connect two networks with duplicate subnets, you will need change the IP range on one of the subnets, or you will need to do static 1-to-1 Network Address Translation on all of the overlapping IPs at the gateway router on both sides.

IP networks DO NOT work with duplicate addresses on them.