0 Replies Latest reply: Apr 24, 2019 2:22 PM by Alejandro RSS

    IPSec tunnels with overlapping subnets on Cisco routers.


      Hey everyone, I have an issue and Im kinda stuck finding the solution.


      The scenario is the following, I have a router who has two IPSec VPNs with SiteA and SiteB.


      The thing is, the network address of SiteA overlaps with SiteB. I got on SiteA and on SiteB. The problem is that none of the remote sites is willing to make any change on their devices, therefore my router has to manage everything.


      Im using the following configuration:


      Crypto Maps:


      crypto map rtp 2 ipsec-isakmp

      set peer B.B.B.B (SITE B)

      set transform-set TSASA

      match address CISCO_TO_ASA


      crypto map rtp 4 ipsec-isakmp

      set peer A.A.A.A (SITE A)

      set transform-set 3des-sha

      match address LAN-UOL-vpn


      ACLs for interesting traffic:


      Used by site A:


      ip access-list extended LAN-UOL-vpn

      permit ip


      Used by site B:


      ip access-list extended CISCO_TO_ASA

        permit ip

        permit ip



      Both VPN are using the same Crypto Map, I tried changing the sequence number in order to use first the site B address (Since its smaller than Site A) and then use Site A. However, when I try to send traffic meant for siteB its routed to site A because of the network address is overlapping both segments.


      Any suggestions are appreciated. Let me know If you would like any other information that might be relevant to fulfill the objective.