Overlapping Subnets between 2 RUTX12 IPsec VPN

The following scenario:
I want to connect 2 RUTX12 using IPsec VPN and be able to ping end devices that are running behind the VPN on both sides of the tunnel. It is important that the same subnet is running on both sides. I have already set up the IPsec tunnel and can also ping the virtual IP of the other side. What is not possible is pinging devices in the subnet behind it.

IPsec server:
-virtual IP:192.168.100.0/24
-Subnet:192.168.42.0/24

IPsec client:
-virtual IP:192.168.200.0/24
-Subnet: 192.168.42.0/24

I followed the instructions on the following page.
https://wiki.teltonika-networks.com/view/Overlapping_subnets_with_IPsec_solution

Custom Rules:

Server:

iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -d 192.168.200.0/24 -j NETMAP --to 192.168.100.0/24
iptables -t nat -I PREROUTING -s 192.168.200.0/24 -j NETMAP --to 192.168.42.0/24

Client:

iptables -t nat -I POSTROUTING -s 192.168.42.0/24 -d 192.168.100.0/24 -j NETMAP --to 192.168.200.0/24
iptables -t nat -I PREROUTING -s 192.168.100.0/24 -j NETMAP --to 192.168.42.0/24

Routing Rules:

I’ve tried a lot now, but I can’t reach the other devices in the same subnet. I hope someone can help me here. I think it must be on the firewall somewhere.

Hello,
From one side, traceroute one existing IP address on the other side. What do you see ?

Regards,

Status IPsec:

Security Associations (1 up, 0 connecting):
VPN1-VPN1_c[28]: ESTABLISHED 24 minutes ago, 172.16.4.111[FQDN]…xx.xxx.xx.xx[FQDN]
VPN1-VPN1_c{18}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c7cc1de9_i cce990ca_o
VPN1-VPN1_c{18}: 192.168.100.0/24 === 192.168.200.0/24

traceroute:

Form Server:

traceroute to 192.168.200.1 (192.168.200.1), 30 hops max, 46 byte packets
1 192.168.200.1 (192.168.200.1) 37.721 ms 38.139 ms 37.565 ms

traceroute to 192.168.42.118 (192.168.42.118), 30 hops max, 46 byte packets
1 192.168.42.1 (192.168.42.1) 3133.595 ms !H 3118.708 ms !H 3119.353 ms !H

From Client:

traceroute to 192.168.100.1 (192.168.100.1), 30 hops max, 46 byte packets
1 192.168.100.1 (192.168.100.1) 42.865 ms 42.378 ms 40.669 ms

traceroute to 192.168.42.118 (192.168.42.118), 30 hops max, 46 byte packets
1 192.168.42.1 (192.168.42.1) 3133.595 ms !H 3118.708 ms !H 3119.353 ms !H

192.168.42.85 is a device on server side
192.168.42.118 is a device on client side

There seems to be some confusion here.
From the client, traceroute 192.168.100.85 or from the server traceroute 192.168.200.118
What is the result ?

traceroute to 192.168.200.118 (192.168.200.118), 30 hops max, 46 byte packets
1 192.168.200.118 (192.168.200.118) 70.719 ms 41.560 ms 45.650 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Same on the other side.

This seams to work.

But i need all devices that have a 192.168.42.0/24 IP talk to each other.

Is this possible, without typing 192.168.200.118/192.168.100.85?
The devices behind them are microphone stations for television productions and these have a fixed IP over which their network is set up. I can’t switch them like that.

No. You can have the same IP address on both side how do you distinguish the two ? One is local the other remote the system will not have any way to know how to route the packets.

If you can, subdivide your 192.168.42.0/24 network in 192.168.42.0/25 and 192.168.42.128/25 you may have to reassign IP addresses then you can get rid of the 192.168.100.0/24 and 192.168.200.0/24 networks and all the NETMAP logic.

Thank you so much for your contribution so far. I will speak to my manager. Maybe that’s the solution.

I have now divided the nets on both sides into /25 and deleted the custom rules.

Server:
192.168.42.0/25

Client;
192.168.42.128/25

The VPN is working and the routers can ping each other. What still doesn’t work is pinging the end devices.

The strange thing is, that i can’t ping the newly assigned IP .130 on the client side. Does a Teltonika Router not regognize a /25 net with .128-.256 IPs?

Which firewall rules do i need so that the end devices can talk to each other? I think, i only need 2 traffic rules (VPN-WAN/WAN-VPN) or?

What is the output of ipsec statusall on both sides ?

VPN1-VPN1_c[2]: ESTABLISHED 15 minutes ago, 172.16.4.111[FQDN]…xx.xx.xx.xx[FQDN]
VPN1-VPN1_c{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c8ee6061_i c26b06a6_o
VPN1-VPN1_c{1}: 192.168.42.0/25 === 192.168.42.128/25

Now I created 2 NAT Rules on both side, this seams to work.

Hmm. What are those rules ? You shouldn’t have to do that.
On the router on one side do a tcpdump -i any -n -v icmp and from the other side a ping of a remote device. What is the output of tcpdump ?

Using this rules, i can ping the device on server side from client side. Otherwise i can only ping 192.168.42.1/128.

tcpdump_output:

14:05:11.863242 eth1 In IP (tos 0x0, ttl 64, id 33118, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.42.128 > 192.168.42.85: ICMP echo request, id 28527, seq 28, length 64
14:05:11.863696 br-ifLan2 Out IP (tos 0x0, ttl 63, id 33118, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.42.128 > 192.168.42.85: ICMP echo request, id 28527, seq 28, length 64
14:05:11.863723 eth0.3600 Out IP (tos 0x0, ttl 63, id 33118, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.42.128 > 192.168.42.85: ICMP echo request, id 28527, seq 28, length 64
14:05:11.863736 eth0 Out IP5 (invalid)

I am confused. What are the lan addresses of the routers ?
What is the default route on the lan devices on both sides ?
Could you disable the NAT rules and retry the ping / tcpdump ?
What is the 192.168.42.128 device ? Shouldn’t that be 192.0168.42.129 or some other value between 129 and 254 ?
In the IPSEC config, have you set “Route based IPsec” ?
If not set, what are the values of “Local subnet” and “Remote subnet” for both sides ?
If set, what is the value of “IP address” idem both sides ?
For testing, be sure to disable “Local firewall” and “Remote firewall”.

IPsec configuration has several subtleties it is easy to mess things maybe you could consider using Wireguard instead the configuration is straightforward and performance is much better.

  1. LAN Adresses: Server: 192.168.42.1/25 === Client: 192.168.42.128/25 (VLAN 3600)
  2. Default Routes: there are no rules in routing
  3. The output above is without active NAT rule
  4. .128 is the client router IP and devices behind it have .129-.254
  5. Route based IPsec is not active
  6. Server: local subnet/remote subnet: 192.168.42.0/25 / 192.168.42.128/25
    Client: local subnet/remote subnet: 192.168.42.128/25 / 192.168.42.0/25
    7.disabling the firewall has no effect, i can’t ping devices behind routers

It only works with NAT rules…

This is the address of the subnetwork (/25), you should avoid it. Use .129 instead for the router itself.

This is the default route on the lan devices themselves. 192.168.42.1 on the server side and 192.168.42.129 on the client side.
Retry the ping / tcpdump.

Changing the IP to .129 solved my problem of pinging devices with IPs higher than .129.
Both Router can now reach all devices but…

I cannot ping devices on the other side of the network, e.g. form a laptop.

tcpdump (NAT disbaled)

16:48:52.937520 eth1 In IP (tos 0x0, ttl 64, id 43403, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.42.128 > 192.168.42.85: ICMP echo request, id 25012, seq 17, length 64
16:48:52.937954 br-ifLan2 Out IP (tos 0x0, ttl 63, id 43403, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.42.128 > 192.168.42.85: ICMP echo request, id 25012, seq 17, length 64
16:48:52.937980 eth0.3600 Out IP (tos 0x0, ttl 63, id 43403, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.42.128 > 192.168.42.85: ICMP echo request, id 25012, seq 17, length 64
16:48:52.937993 eth0 Out IP5 (invalid)

tcpdump (NAT enabled)

16:51:22.422735 eth1 In IP (tos 0x0, ttl 64, id 50284, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.42.128 > 192.168.42.85: ICMP echo request, id 25435, seq 14, length 64
16:51:22.423154 br-ifLan2 Out IP (tos 0x0, ttl 63, id 50284, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.42.1 > 192.168.42.85: ICMP echo request, id 25435, seq 14, length 64
16:51:22.423179 eth0.3600 Out IP (tos 0x0, ttl 63, id 50284, offset 0, flags [DF], proto ICMP (1), length 84)
192.168.42.1 > 192.168.42.85: ICMP echo request, id 25435, seq 14, length 64
16:51:22.423193 eth0 Out IP5 (invalid)
16:51:22.423373 eth0 In IP1 (invalid)

You still have a .128 somewhere.

What is the address of this laptop ? How is it connected to the .42 networks ? What is “the other side” of the network ?

Where is this tcpdump taken ?

I dont know where the .128 is coming form. LAN IP is .129.
In IPsec setup and NAT i used the complete subnets (192.168.42.128/25). Thats the only place where its coming from.

The Laptop address is 192.168.42.140/25 and its plugged in to the client side router. (192.168.42.128/25)

With “the other side” i mean pinging devices on the server side with that laptop.

???
What are the outputs of:
ip -4 route show
ip -4 rule show
iptables-save | grep -i ipsec
iptables -n -L | grep -i ipsec
on both routers ?

Forgot ip 4 route show table 220