Site to site VPN between two identical subnets

sparrowhawk
Here to help

Site to site VPN between two identical subnets

Is someone able to tell me how to configure an MX firewall to enable a site to site VPN between two organisations with the same IP address ranges? Support have not been able to advise on this. I suspect we need to create an internal network that is part of the existing subnet or maybe reduce the existing range? I'm not a networking engineer so my knowledge in this area is limited, Thanks.

20 REPLIES 20
Roger_Beurskens
Building a reputation

Normally (non meraki firewalls) you would use nat for that...

Hiding one of the 2 subnets behind a full nat.

 

But i'm not sure a mx can do that.

 

 

Hi Roger, thanks for your reply. That's what I thought too. The other site have done so on their Sophos XG box but as you say, I'm not sure how to assign a NAT rule to a VPN tunnel.

Possible workaround

 

Site A - 192.168.201.0/25

Site B - 192.168.201.128/25

 

This will split the 192.168.201.0/24 subnet into 2 halves, effectively. It can be adjusted to suit.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel

Hi Robin, that was one thing I did consider. However, after further discussion, we've decided that we can reduce our local subnet as we are using a /21 mask so have plenty of addresses spare.

 

Thanks

jdsilva
Kind of a big deal

If this was between two MXs in the same organization you could use Site-to-site VPN Translation

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

 

But, since you're going between Orgs this makes it Non-Meraki VPN, and as that doc says right at the top...

 

image.png

 

Unfortunately, you're out of luck here 😞


@jdsilva wrote:

If this was between two MXs in the same organization you could use Site-to-site VPN Translation

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation

 

But, since you're going between Orgs this makes it Non-Meraki VPN, and as that doc says right at the top...

 

image.png

 

Unfortunately, you're out of luck here 😞


Another gem I had no clue existed. /deepsigh

 

I really wish they would be more open about these features

Nolan Herring | nolanwifi.com
TwitterLinkedIn

Hey Nolan, don't feel too left out.

 

I've spent over three hours on support calls with four different Meraki engineers over this and none of them was seemingly aware of this fact either.

 

LOL

Our current local VLAN is 192.168.0.0/21. The remote site also uses this subnet. However, we only actually use 192.168.2.0 and above, so I thought I could simply change our subnet to 192.168.2.0/21 and that would free up the first 512 addresses to route to the remote site.

 

When I make the change on the MX though, it stays at 192.168.0.0/21.

 

Can anyone help me understand where I'm going wrong?

 

Thanks

cmr
Kind of a big deal
Kind of a big deal

You are supernetting a number of class c subnets into a /21.  This really is not the best way to set up a network as all sorts of devices will not cope with it.  If you are using 192.168.2.0 onwards, why not try 192.168.2.0/23 is should allow your 512 hosts and is slightly less off standard.  If they are 192.168.0.0 to 1.254 then they could change to 192.168.0.0/25 and you would be non overlapping subnets.

Because it is still in the same supernet.  The change you are suggesting doesn't achieve anything.

 

Yuu could change to using 192.168.2.0/23, which means you would now be using 192.168.2.x through to 192.168.3.x only.  You would need to change the subnet mask on all your devices as well.

 

You could also consider using VLANs on the MX (and on the downstream switches) and specifically use 192.168.2.0/24, 192.168.3.0/24, and whatever else you are using.  I suspect this might be a much larger change for you though.

cmr
Kind of a big deal
Kind of a big deal

@PhilipDAth snap!

Hi Philip, thanks, that makes things clearer. I'm not sure what the implications of using 192.168.2.0/23 would be as we are already using 192.168.5.0 through 192.168.6.254 as our DHCP range and we have other sites using 192.168.3.0/24 and 192.167.7.0/24.

 

This sounds like too big a change to make in a production environment so I may just suggest to my colleagues that we buy another firewall that is capable of using NAT for a VPN.

 

My inability to link our network to our client's is now affecting income streams, so the argument to drop some cash is there.

 

Thanks

cmr
Kind of a big deal
Kind of a big deal

@sparrowhawk I'm sure it must be a typo, but 192.167.n.n isn't a private network range so shouldn't be used unless you own it.

 

I'd start renumbering, if you have VLANs and DHCP set up it really isn't that difficult as full NAT is very complex to manage and confusing as people on each side think their 192.168 address is the topic of conversation, when it could be the one on the other side.

 

We've always used the 10. network and subnetted it, we started with 10.1 , 10.2 etc. for each site but had to move after a merger and now use higher ranges.

 

You can always run into duplication again but the chances are reduced and once you have renumbered, it is easier to do it a second time...

 

Alternatively use IPv6, oh hang on, this is the Meraki forums.... 😉

I've not managed to crack this problem yet and I'm struggling to form a clear plan. Changing our IP address range is not possible, so I have to find an alternative way forward.

 

I have an MX60 here and my thoughts were that if I can perform the VPN termination and NAT on the MX100, then I'll split the tasks. Do you think it feasible to perform the VPN termination on the MX100 then pass the intermediate subnet over to the MX60 to be NATed to our local subnet?

 

If there's a guide out there on how to set this up that would be even better.

 

Thanks

Even though it says it is only SUPPORTED for Auto-VPN, support can still enable the feature for you (I'm nearly 100% sure we have this working somewhere). I THINK it still works, they just don't support it.

Hi lpopejoy, that's interesting but I don't think my managers would allow me to use an unsupported feature in our environment. It may help others though, so thanks for posting.

PhilipDAth
Kind of a big deal
Kind of a big deal

If the remote end can do it you should be ok - otherwise one of the two organisations is going to need to re-number.

 

If there is only a small number of devices that need to be access on one site then you could place them into a DMZ with a new subnet to resolve the issue.

Hi Philip, the other end has configured NAT but this didn't work. They expressed the same opinion, that we need to configure NAT at our end as well. However, none of the Meraki engineers who have tried to help have suggested this and it appears not to be possible.

The servers that need to talk to each other cannot easily be moved to a DMZ unfortunately. One is a production SQL server belonging to our client, the other an RDS server that our staff use to run a data analysis tool.

 

So I think that we will need to reduce the scope of our subnet. It's not that big a deal, but it would have been a lot simpler if we could have done the job with NAT. And what happens if we need to set up more VPN links to other clients and suppliers in the future? There's a high chance that there will be a clash that can't be got around this way.

 

So Meraki kit seems very limited in this respect. Meraki to Meraki VPN doesn't have this issue though, which is interesting.

Roger_Beurskens
Building a reputation

Maybe i've missed it... but do you have a MX on both sides or a MX and somtheing different?

Hi Roger, an MX100 our side and we've tried a Sophos XG box and a Juniper at the client's site. Neither worked.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels