Expired

V. VPN (Virtual Private Networking)

Expired

IPsec VPN LAN to LAN between two sites that share the same subnet

Products:
Vigor 2135ax
Vigor 2620Ln
Vigor 2760
Vigor 2762
Show all

Keywords:
Duplicate Subnet
Same Subnet
VPN Translation

Important Note: It is always better to have remote subnets numbered differently; i.e. using distinct IP address ranges. If you can renumber the subnets it will be preferable, more reliable and efficient in the long run, even if it's inconvenient to change it right now. As such, this feature should be used only when it's really impossible to alter either of the VPN-connected subnets (for example old, hardcoded products or 3rd party networks which you're not permitted to change).

The IPSEC same subnet feature on DrayTek routers provides a method to link two sites that use the same subnet. In this example, Vigor 2925 A is in the head office and Vigor 2925 B in the branch office, and they have the same LAN network 192.168.1.0/255.255.255.0. A LAN to LAN VPN needs to be establishes between the two sites, but for some reason it’s not possible to change the LAN subnet on either site.


In a standard LAN to LAN network topology the local subnet at each site must be a unique network address. The primary reason for this is for routing purposes, so that it’s possible to determine if the destination IP Address can be really locally or is remote and can only be reached via a VPN tunnel, but another reason is to avoid a clash with duplicate IP Addresses, if the same IP Address exists at each location, where it’s not possible to determine if the packet should be sent to the IP Address on the local network of the IP Address on the remote network.

The IPsec same subnet feature on DrayTek routers provides a method to link two sites that use the same subnet.

Before creating the VPN profiles, the translated Network Address for each site should be picked. This IP Address is the Network Address that the other site will use for routing purposes and users/devices who need to access resources on the other site should be configured with or made aware that they should use the translated IP Address of the destination machine rather than the real IP Address.

SiteLAN Network AddressTranslated Network Address
Headquarters 192.168.1.0 192.168.11.0
Branch Office 192.168.1.0 192.168.129.0

 

Headquarters setup - Dial IN

  1. Go to [VPN and Remote Access] > [LAN to LAN] > [Profile Index 1] then configure the Common Settings:
    1. Check Enable this profile
    2. Select Dial-In for Call Direction
    3. Input 0 for Idle Timeout. (0 means no idle timeout so server won't disconnect the VPN tunnel even when there is no packet passing.)



  2. Configure Dial-In Settings:
    1. Select only IPsec Tunnel as Allowed Dial-in Type
    2. Select Specify Remote VPN Gateway then input WAN IP Address of the branch



    3. Click IKE Pre-Shared Key button then input the Pre-Shared Key

      VPN_Translation_Branch3


  3. Configure TCP/IP Network Settings:
    Since the Vigor2925 in the two offices are using the same LAN network 192.168.1.0/ 255.255.255.0, to create an IPsec VPN connection, the head office's translated network address should be entered as the Remote Network IP and the Translated Local Network should be set to the Branch Office's translated network address.
    1. Enable IPsec VPN with the Same Subnets option
    2. Select Whole Subnet for the Translated Type
      Note: The Whole Subnet Translated Type means Vigor2925 will translate whole network IP Address automatically. For example, Local IP 192.169.1.10 will be translated to 192.168.11.10, local IP 192.168.1.11 will be translated to 192.168.11.11, and so on.
      The Specific IP Address Translated Type means Vigor2925 will only translate the specific IP Address that Network Administrator manually added in Virtual IP Mapping table.
    3. Input Remote Network IP as 192.168.11.0 (It is the Translated Network IP of the Vigor2925B in the branch office)
    4. Input 192.168.129.0 as the Translated Local Network IP.
    5. Apply the settings.

 

Branch Office Setup - Dial Out

  1. Go to [VPN and Remote Access] > [LAN to LAN] > [Profile Index 1], then configure Common Settings:
    1. Check Enable this profile.
    2. Select Dial-Out for Call Direction.
    3. Check Always on.
    4. Select WAN1 Only for VPN Dial-Out Through.



  2. Configure Dial-Out Settings:
    1. Select IPsec Tunnel for the type of Server I am calling.
    2. Input VPN Server IP (The WAN IP of the Vigor2925 at the head office)
    3. Select High(ESP) for IPsec Security Method



    4. Click IKE Pre-Shared Key button then input the Key

      VPN_Translation_HQ3


  3. Configure TCP/IP Network Settings:

    1. Check to enable option IPsec VPN with the Same Subnets
    2. Select Whole Subnet for the Translated Type
    3. Input Remote Network IP as 192.168.129.0 (It should be the Translated Local Network IP on the Vigor2925A in the head office.)
    4. Input the Translated Local Network IP as 192.168.11.0.


  4. After completing above configurations the VPN Status would be shown via [VPN and Remote Access] > [Connection Management]
    Note that the Virtual Network will show the translated address instead of the real Network Address

    VPN_Translation_Status

A computer on the HQ site will now be able to communicate with computers on the branch site by sending requests to the translated IP Address. For example if 192.168.1.10 at HQ wishes to ping 192.168.1.10 at Branch they should ping 192.168.129.10. The PC at the Branch would see the request coming from 192.168.11.10 even though it’s really from another PC also on 192.168.1.10


How do you rate this article?

1 1 1 1 1 1 1 1 1 1