homepage security




 Allied Telesyn Config for The Almost Impossible VPN Configuration between 2 Private LANs that Have the Same Subnet Address.



1. VPN between 2 remote LANs with same subnet address
2. VPN between 2 remote LANs with same subnet address + enhanced NAT
3. VPN between 2 remote LANs with same subnet address + enhanced NAT + bonus Cisco like loopback config


1. VPN between 2 remote LANs with same subnet address

the almost impossible VPN

Usually VPN tunnel is configured between 2 remote LANs that have different subnet address...
But actually it's also possible to configure VPN between 2 remote LANs that have the same subnet address

The trick is to NAT the original LAN private IP addresses to a different private IP addresses, in order to have 2 remote LANs that a have a different subnet address, then configure the VPN using these NATed IP addresses...

The config of ROUTER A:
# VLAN general configuration
create vlan="vlan2" vid=2

# VLAN port configuration
add vlan="2" port=1

# IP configuration
enable ip
add ip int=eth0 ip=10.0.0.2 mask=255.255.255.0
add ip int=vlan2 ip=192.168.0.1
set ip loc ip=192.168.0.1
add ip rou=0.0.0.0 mask=0.0.0.0 int=eth0 next=10.0.0.1

# FIREWALL configuration
enable firewall
create firewall policy="firepoli"
enable firewall policy="firepoli" icmp_f=all
add firewall policy="firepoli" int=vlan2 type=private
add firewall policy="firepoli" int=eth0 type=public
add firewall poli="firepoli" nat=enhanced int=vlan2 gblin=eth0 gblip=10.0.0.2
add firewall poli="firepoli" ru=2 ac=nat int=eth0 prot=ALL ip=192.168.0.0 gblip=172.30.2.0 natm=255.255.255.0
set firewall poli="firepoli" ru=2 rem=172.30.1.0-172.30.1.255 enc=ips
add firewall poli="firepoli" ru=3 ac=allo int=eth0 prot=udp po=500 ip=10.0.0.2 gblip=10.0.0.2 gblp=500
add firewall poli="firepoli" ru=1 ac=nat int=vlan2 prot=ALL ip=192.168.0.0 gblip=172.30.2.0 natm=255.255.255.0
set firewall poli="firepoli" ru=1 rem=172.30.1.0-172.30.1.255

# IPSEC configuration
create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
create ipsec bund=1 key=isakmp string="1"
create ipsec pol="vpn-isakmp" int=eth0 ac=permit
set ipsec pol="vpn-isakmp" lp=500 rp=500 tra=UDP
create ipsec pol="vpn-tunnel1" int=eth0 ac=ipsec key=isakmp bund=1 peer=10.0.0.1 isa="passphrase"
set ipsec pol="vpn-tunnel1" lad=172.30.2.0 lma=255.255.255.0 rad=172.30.1.0 rma=255.255.255.0
set ipsec pol="vpn-tunnel1" srci=eth0
create ipsec pol="vpn-internet" int=eth0 ac=permit
enable ipsec

# ISAKMP Configurations
create isakmp pol="passphrase" pe=10.0.0.1 srci=eth0 enc=3desouter key=1
set isakmp pol="passphrase" gro=2
set isakmp pol="passphrase" sendd=true setc=true
enable isakmp


The config of ROUTER B:
# VLAN general configuration
create vlan="vlan2" vid=2

# VLAN port configuration
add vlan="2" port=1

# IP configuration
enable ip
add ip int=eth0 ip=10.0.0.2 mask=255.255.255.0
add ip int=vlan2 ip=192.168.0.1
set ip loc ip=192.168.0.1
add ip rou=0.0.0.0 mask=0.0.0.0 int=eth0 next=10.0.0.1

# FIREWALL configuration
enable firewall
create firewall policy="firepoli"
enable firewall policy="firepoli" icmp_f=all
add firewall policy="firepoli" int=vlan2 type=private
add firewall policy="firepoli" int=eth0 type=public
add firewall poli="firepoli" nat=enhanced int=vlan2 gblin=eth0 gblip=10.0.0.2
add firewall poli="firepoli" ru=2 ac=nat int=eth0 prot=ALL ip=192.168.0.0 gblip=172.30.2.0 natm=255.255.255.0
set firewall poli="firepoli" ru=2 rem=172.30.1.0-172.30.1.255 enc=ips
add firewall poli="firepoli" ru=3 ac=allo int=eth0 prot=udp po=500 ip=10.0.0.2 gblip=10.0.0.2 gblp=500
add firewall poli="firepoli" ru=1 ac=nat int=vlan2 prot=ALL ip=192.168.0.0 gblip=172.30.2.0 natm=255.255.255.0
set firewall poli="firepoli" ru=1 rem=172.30.1.0-172.30.1.255

# IPSEC configuration
create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
create ipsec bund=1 key=isakmp string="1"
create ipsec pol="vpn-isakmp" int=eth0 ac=permit
set ipsec pol="vpn-isakmp" lp=500 rp=500 tra=UDP
create ipsec pol="vpn-tunnel1" int=eth0 ac=ipsec key=isakmp bund=1 peer=10.0.0.1 isa="passphrase"
set ipsec pol="vpn-tunnel1" lad=172.30.2.0 lma=255.255.255.0 rad=172.30.1.0 rma=255.255.255.0
set ipsec pol="vpn-tunnel1" srci=eth0
create ipsec pol="vpn-internet" int=eth0 ac=permit
enable ipsec

# ISAKMP Configurations
create isakmp pol="passphrase" pe=10.0.0.1 srci=eth0 enc=3desouter key=1
set isakmp pol="passphrase" gro=2
set isakmp pol="passphrase" sendd=true setc=true
enable isakmp



2. VPN between 2 remote LANs with the same subnet address + enhanced NAT

same subnet VPN with enhanced NAT

Here is a similar configuration, but this time the all private IP addresses of router B are NATed to a single IP address (172.30.2.1).


The config of ROUTER A:
same as above


The config of ROUTER B:


# VLAN general configuration
create vlan="vlan2" vid=2

# VLAN port configuration
add vlan="2" port=1

# IP configuration
enable ip
add ip int=eth0 ip=10.0.0.2 mask=255.255.255.0
add ip int=vlan2 ip=192.168.0.1
set ip loc ip=192.168.0.1
add ip rou=0.0.0.0 mask=0.0.0.0 int=eth0 next=10.0.0.1

# FIREWALL configuration
enable firewall
create firewall policy="firepoli"
enable firewall policy="firepoli" icmp_f=all
add firewall policy="firepoli" int=vlan2 type=private
add firewall policy="firepoli" int=eth0 type=public
add firewall poli="firepoli" nat=enhanced int=vlan2 gblin=eth0 gblip=10.0.0.2
add firewall poli="firepoli" ru=2 ac=nat int=eth0 prot=ALL ip=172.30.2.1
add firewall poli="firepoli" ru=3 ac=allo int=eth0 prot=udp po=500 ip=10.0.0.2 gblip=10.0.0.2 gblp=500
add firewall poli="firepoli" ru=1 ac=nat int=vlan2 prot=ALL gblip=172.30.2.1 natt=enh
set firewall poli="firepoli" ru=1 rem=172.30.1.0-172.30.1.255

# IPSEC configuration
create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
create ipsec bund=1 key=isakmp string="1"
create ipsec pol="vpn-isakmp" int=eth0 ac=permit
set ipsec pol="vpn-isakmp" lp=500 rp=500 tra=UDP
create ipsec pol="vpn-tunnel1" int=eth0 ac=ipsec key=isakmp bund=1 peer=10.0.0.1 isa="passphrase"
set ipsec pol="vpn-tunnel1" lad=172.30.2.0 lma=255.255.255.0 rad=172.30.1.0 rma=255.255.255.0
set ipsec pol="vpn-tunnel1" srci=eth0
create ipsec pol="vpn-internet" int=eth0 ac=permit
enable ipsec

# ISAKMP Configurations
create isakmp pol="passphrase" pe=10.0.0.1 srci=eth0 enc=3desouter key=1
set isakmp pol="passphrase" gro=2
set isakmp pol="passphrase" sendd=true setc=true
enable isakmp


3. VPN between 2 remote LANs with same subnet address + enhanced NAT + bonus Cisco like loopback config

same subnet VPN with enhanced NAT

The setup above is similar to the setup no 2. with a little twist:
Sometimes ISP assigns a handful of public IP addresses to their client for Internet services and navigation, but the IP address assigned to the client’s router external interface is not a routable IP address. In the setup above the IP address of Ethernet 0 of router B is not routable, the only way to reach router B from the Internet is using 172.16.0.1.

Creating a Cisco like loopback interface with the IP address 172.16.0.1 will resolve this problem.
All internal will use this IP address for Internet navigation. This IP address is also used as for initiating IPSec VPN and as peer IP address.


The config of ROUTER A:
# VLAN general configuration
create vlan="vlan2" vid=2

# VLAN port configuration
add vlan="2" port=1

# IP configuration
enable ip
add ip int=eth0 ip=10.0.0.1 mask=255.255.255.0
add ip int=vlan2 ip=192.168.0.1
add ip rou=0.0.0.0 mask=0.0.0.0 int=eth0 next=10.0.0.2

# FIREWALL configuration
enable firewall
create firewall policy="firepoli"
enable firewall policy="firepoli" icmp_f=all
add firewall policy="firepoli" int=vlan2 type=private
add firewall policy="firepoli" int=eth0 type=public
add firewall poli="firepoli" nat=enhanced int=vlan2 gblin=eth0 gblip=10.0.0.1
add firewall poli="firepoli" ru=2 ac=nat int=eth0 prot=ALL ip=192.168.0.0 gblip=172.30.1.0 natm=255.255.255.0
set firewall poli="firepoli" ru=2 rem=172.30.2.0-172.30.2.255 enc=ips
add firewall poli="firepoli" ru=3 ac=allo int=eth0 prot=udp po=500 ip=10.0.0.1 gblip=10.0.0.1 gblp=500
add firewall poli="firepoli" ru=1 ac=nat int=vlan2 prot=ALL ip=192.168.0.0 gblip=172.30.1.0 natm=255.255.255.0
set firewall poli="firepoli" ru=1 rem=172.30.2.0-172.30.2.255

# IPSEC configuration
create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
create ipsec bund=1 key=isakmp string="1"
create ipsec pol="vpn-isakmp" int=eth0 ac=permit
set ipsec pol="vpn-isakmp" lp=500 rp=500 tra=UDP
create ipsec pol="vpn-tunnel1" int=eth0 ac=ipsec key=isakmp bund=1 peer=172.16.0.1 isa="passphrase"
set ipsec pol="vpn-tunnel1" lad=172.30.1.0 lma=255.255.255.0 rad=172.30.2.0 rma=255.255.255.0
set ipsec pol="vpn-tunnel1" srci=eth0                                                           
create ipsec pol="vpn-internet" int=eth0 ac=permit
enable ipsec

# ISAKMP Configurations
create isakmp pol="passphrase" pe=172.16.0.1 srci=eth0 enc=3desouter key=1
set isakmp pol="passphrase" gro=2
set isakmp pol="passphrase" sendd=true setc=true
enable isakmp


The config of ROUTER B:
# VLAN general configuration
create vlan="vlan2" vid=2

# VLAN port configuration
add vlan="2" port=1

# PPP configuration
create ppp=0 idle=60 over=eth0-any

# IP configuration
enable ip
add ip int=eth0 ip=10.0.0.2 mask=255.255.255.0
add ip int=vlan2 ip=192.168.0.1
add ip int=ppp0 ip=172.16.0.1 mask=255.255.255.255
set ip loc ip=192.168.0.1
add ip rou=0.0.0.0 mask=0.0.0.0 int=eth0 next=10.0.0.1

# FIREWALL configuration
enable firewall
create firewall policy="firepoli"
enable firewall policy="firepoli" icmp_f=all
add firewall policy="firepoli" int=vlan2 type=private
add firewall policy="firepoli" int=ppp0 type=public
add firewall policy="firepoli" int=eth0 type=public
add firewall poli="firepoli" nat=enhanced int=vlan2 gblin=eth0 gblip=172.16.0.1
add firewall poli="firepoli" ru=2 ac=nat int=eth0 prot=ALL ip=172.30.2.1
add firewall poli="firepoli" ru=3 ac=allo int=eth0 prot=udp po=500 ip=10.0.0.2 gblip=10.0.0.2 gblp=500
add firewall poli="firepoli" ru=1 ac=nat int=vlan2 prot=ALL gblip=172.30.2.1 natt=enh
set firewall poli="firepoli" ru=1 rem=172.30.1.0-172.30.1.255

# IPSEC configuration
create ipsec sas=1 key=isakmp prot=esp enc=3desouter hasha=sha
create ipsec bund=1 key=isakmp string="1"
create ipsec pol="vpn-isakmp" int=eth0 ac=permit
set ipsec pol="vpn-isakmp" lp=500 rp=500 tra=UDP
create ipsec pol="vpn-tunnel1" int=eth0 ac=ipsec key=isakmp bund=1 peer=10.0.0.1 isa="passphrase"
set ipsec pol="vpn-tunnel1" lad=172.30.2.0 lma=255.255.255.0 rad=172.30.1.0 rma=255.255.255.0
set ipsec pol="vpn-tunnel1" srci=ppp0
create ipsec pol="vpn-internet" int=eth0 ac=permit
enable ipsec

# ISAKMP Configurations
create isakmp pol="passphrase" pe=10.0.0.1 srci=ppp0 enc=3desouter key=1
set isakmp pol="passphrase" gro=2
set isakmp pol="passphrase" sendd=true setc=true
enable isakmp





homepage $ Sat Jan 24 20:47:27 CET 2004 $ © 2003-2004 Omar Gani