{"id":922,"date":"2010-05-15T09:48:12","date_gmt":"2010-05-15T08:48:12","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=922"},"modified":"2010-05-15T09:48:12","modified_gmt":"2010-05-15T08:48:12","slug":"configuring-ipsec-tunnel-between-two-lans-using-the-same-subnet","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=922","title":{"rendered":"Configuring IPSec tunnel between two LANs using the same subnet"},"content":{"rendered":"

How to set up an IPSec tunnel between two LANs using the same subnet.<\/p>\n

Conflicting LAN IP subnets can cause difficulties when routing through a tunnel.\u00a0 This configuration uses NAT to overcome the problem of duplicate addresses:<\/p>\n

\"Configuring<\/a><\/p>\n

CONFIGURATIONS:<\/p>\n

Router A<\/strong><\/p>\n

Current configuration : 1404 bytes
\n!
\nversion 12.3
\nservice timestamps debug datetime msec
\nservice timestamps log datetime msec
\nno service password-encryption
\n!
\nhostname SV3-2
\n!
\nboot-start-marker
\nboot-end-marker
\n!
\n!
\nno aaa new-model
\nip subnet-zero
\n!
\n!
\n!
\n!
\nip audit notify log
\nip audit po max-events 100
\nip ssh break-string
\nno ftp-server write-enable
\n!
\n!<\/p>\n

!— These are the Internet Key Exchange (IKE) parameters.<\/p>\n

crypto isakmp policy 10
\nencr 3des
\nhash md5
\nauthentication pre-share
\ncrypto isakmp key cisco123 address 10.5.76.57
\n!<\/p>\n

!— These are the IPSec parameters.<\/p>\n

crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
\n!
\n!
\ncrypto map mymap 10 ipsec-isakmp
\nset peer 10.5.76.57
\nset transform-set myset1<\/p>\n

!— Encrypt traffic to the other side.<\/p>\n

match address 100
\n!
\n!
\n!
\ninterface Serial0\/0
\ndescription Interface to Internet
\nip address 10.5.76.58 255.255.0.0
\nip nat outside
\nclockrate 128000
\ncrypto map mymap
\n!
\ninterface Ethernet0\/0
\nip address 172.16.1.1 255.255.255.0
\nno ip directed-broadcast
\nip nat inside
\nhalf-duplex
\n!
\n!<\/p>\n

!— This is the NAT traffic.<\/p>\n

ip nat inside source static network 172.16.0.0 172.18.0.0 \/16 no-alias
\nip http server
\nno ip http secure-server
\nip classless
\nip route 0.0.0.0 0.0.0.0 Serial0\/0
\n!<\/p>\n

!— Encrypt traffic to the other side.<\/p>\n

access-list 100 permit ip 172.18.0.0 0.0.255.255 172.19.0.0 0.0.255.255
\n!
\ncontrol-plane
\n!
\n!
\nline con 0
\nline aux 0
\nline vty 0 4
\n!
\n!
\nend<\/p><\/blockquote>\n

Router B<\/strong><\/p>\n

Current configuration : 1255 bytes
\n!
\nversion 12.3
\nservice timestamps debug datetime msec
\nservice timestamps log datetime msec
\nno service password-encryption
\n!
\nhostname SV3-15
\n!
\nboot-start-marker
\nboot-end-marker
\n!
\n!
\nmemory-size iomem 15
\nno aaa new-model
\nip subnet-zero
\n!
\n!
\n!
\nip audit notify log
\nip audit po max-events 100
\n!<\/p>\n

!— These are the IKE parameters.<\/p>\n

crypto isakmp policy 10
\nencr 3des
\nhash md5
\nauthentication pre-share
\ncrypto isakmp key cisco123 address 10.5.76.58
\n!<\/p>\n

!— These are the IPSec parameters.<\/p>\n

crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
\n!
\ncrypto map mymap 10 ipsec-isakmp
\nset peer 10.5.76.58
\nset transform-set myset1<\/p>\n

!— Encrypt traffic to the other side.<\/p>\n

match address 100
\n!
\n!
\ninterface FastEthernet0\/0
\nip address 172.16.1.1 255.255.255.0
\nip nat inside
\nduplex auto
\nspeed auto
\n!
\ninterface Serial0\/0
\ndescription Interface to Internet
\nip address 10.5.76.57 255.255.0.0
\nip nat outside
\ncrypto map mymap
\n!<\/p>\n

!— This is the NAT traffic.<\/p>\n

ip nat inside source static network 172.16.0.0 172.19.0.0 \/16 no-alias
\nip http server
\nno ip http secure-server
\nip classless
\nip route 0.0.0.0 0.0.0.0 Serial0\/0
\n!<\/p>\n

!— Encrypt traffic to the other side.<\/p>\n

access-list 100 permit ip 172.19.0.0 0.0.255.255 172.18.0.0 0.0.255.255
\n!
\n!
\nline con 0
\nline aux 0
\nline vty 0 4
\n!
\n!
\n!
\nend<\/p><\/blockquote>\n

<\/span><\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"

How to set up an IPSec tunnel between two LANs using the same subnet. Conflicting LAN IP subnets can cause difficulties when routing through a tunnel.\u00a0 This configuration uses NAT to overcome the problem of duplicate addresses:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83,27,13],"tags":[36,44],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/922"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=922"}],"version-history":[{"count":2,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/922\/revisions"}],"predecessor-version":[{"id":925,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/922\/revisions\/925"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=922"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=922"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=922"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}