FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

12008 questions

14286 answers

22528 comments

35902 members

0 votes
247 views 1 comments
by
I've asked this question in another form previously but:

Is it possible to connect two (or more) RUT950s with identical LAN subnets over an IPSec VPN?

Based on information found elsewhere it seems that some form of Network Address Translation is required.

The RUT950s are running RUT9XX_R_00.06.08.5 firmware.

1 Answer

+1 vote
by

Hi,

Sorry for the late response. The answer is yes, it's possible to connect two RUT devices with identical subnets over IPsec VPN.

Let's say your current topology uses 192.168.1.0/24 subnets on both RUT950s.

Now you'll need to choose 2 virtual subnets which will be used for communication between these RUT950s e.g.:

1st RUT950 - 192.168.3.0/24

2nd RUT950 - 192.168.4.0/24

Navigate to Network -> VPN -> IPsec and for 1st RUT950 you'll need to configure local IP address / subnet mask as 192.168.3.0/24 and remote IP address / subnet mask as 192.168.4.0/24. 2nd RUT950 will have inverted configuration - local IP/netmask 192.168.4.0/24 and remote IP/netmask 192.168.3.0/24

If other settings in your IPsec config are correct then by running command ipsec status in CLI you should see that tunnel is installed between 192.168.3.0/24 === 192.168.4.0/24

Now it'll be needed to do 1:1 NAT by using iptables NETMAP target. These IPtables rules will change source IP for outgoing packets and destination IP for incoming packets.

Navigate to WebUI -> Network -> Firewall -> Custom rules and insert following IPtables rules:

For 1st RUT950:

  • iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.4.0/24 -j NETMAP --to 192.168.3.0/24
  • iptables -t nat -I PREROUTING -s 192.168.4.0/24 -j NETMAP --to 192.168.1.0/24

For 2nd RUT950:

  • iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.3.0/24 -j NETMAP --to 192.168.4.0/24
  • iptables -t nat -I PREROUTING -s 192.168.3.0/24 -j NETMAP --to 192.168.1.0/24

Now all that's left is to test configuration, from LAN client of 1st RUT950 ping any remote LAN device by using 192.168.4.0/24 addressing and for LAN2 to LAN1 use 192.168.3.0/24 addressing.

By this point LAN to LAN communication is established but RUT950s cannot ping each other. For RUT950 to be able to ping each other it's needed to add additional routing rules:

On 1st RUT950 use command: ip route add 192.168.4.0/24 dev eth1 src 192.168.1.1 table 220

On 2nd RUT950: ip route add 192.168.3.0/24 dev eth1 src 192.168.1.1 table 220

Note: when adding route, after dev you should specify interface name which is used to establish IPsec tunnel, this example uses eth1 - wired wan.

Best answer
by
That's excellent, works perfectly, thanks.