0 Replies Latest reply: Apr 24, 2019 2:22 PM by Alejandro RSS

    IPSec tunnels with overlapping subnets on Cisco routers.

    Alejandro

      Hey everyone, I have an issue and Im kinda stuck finding the solution.

       

      The scenario is the following, I have a router who has two IPSec VPNs with SiteA and SiteB.

       

      The thing is, the network address of SiteA overlaps with SiteB. I got 172.16.0.0/12 on SiteA and 172.21.226.0./23 on SiteB. The problem is that none of the remote sites is willing to make any change on their devices, therefore my router has to manage everything.

       

      Im using the following configuration:

       

      Crypto Maps:

       

      crypto map rtp 2 ipsec-isakmp

      set peer B.B.B.B (SITE B)

      set transform-set TSASA

      match address CISCO_TO_ASA

       

      crypto map rtp 4 ipsec-isakmp

      set peer A.A.A.A (SITE A)

      set transform-set 3des-sha

      match address LAN-UOL-vpn

       

      ACLs for interesting traffic:

       

      Used by site A:

       

      ip access-list extended LAN-UOL-vpn

      permit ip 10.233.0.0 0.0.255.255 172.16.0.0 0.15.255.255

       

      Used by site B:

       

      ip access-list extended CISCO_TO_ASA

        permit ip 10.233.18.0 0.0.1.255 172.21.226.0 0.0.1.255

        permit ip 10.233.22.0 0.0.0.255 172.21.226.0 0.0.1.255

       

       

      Both VPN are using the same Crypto Map, I tried changing the sequence number in order to use first the site B address (Since its smaller than Site A) and then use Site A. However, when I try to send traffic meant for siteB its routed to site A because of the network address is overlapping both segments.

       

      Any suggestions are appreciated. Let me know If you would like any other information that might be relevant to fulfill the objective.