Expired

V. VPN (Virtual Private Networking)

Expired

IPsec LAN to LAN VPN between two sites that share the same subnet with a Vigor 3900

Products:
Vigor 2960
Vigor 3900
Keywords:
2960
Duplicate Subnet
Same Subnet
VPN Translation

Important Note: It is always better to have remote subnets numbered differently; i.e. using distinct IP address ranges. If you can renumber the subnets it will be preferable, more reliable and efficient in the long run, even if it's inconvenient to change it right now. As such, this feature should be used only when it's really impossible to alter either of the VPN-connected subnets (for example old, hardcoded products or 3rd party networks which you're not permitted to change).

The VPN IP translation feature on DrayTek routers provides a method to link two sites that use the same subnet.

This requires both routers to support the IP Translation facility for LAN to LAN VPNs, which currently includes the Vigor 3900, Vigor 2960, Vigor 2925 series and Vigor 2860 series.


In a standard LAN to LAN network topology the local subnet at each site must be a unique network address. The primary reason for this is for routing purposes, so that it’s possible to determine if the destination IP Address can be really locally or is remote and can only be reached via a VPN tunnel, but another reason is to avoid a clash with duplicate IP Addresses, if the same IP Address exists at each location, where it’s not possible to determine if the packet should be sent to the IP Address on the local network of the IP Address on the remote network.

Before creating the VPN profiles, the translated Network Address for each site should be picked. This IP Address is the Network Address that the other site will use for routing purposes and users/devices who need to access resources on the other site should be configured with or made aware that they should use the translated IP Address of the destination machine rather than the real IP Address.

This example will use the IP addresses shown in this image:

It will also cover how to link a Vigor 3900 / 2960 router with a Vigor 2860 / 2925 router when using the IP translation feature, with setup details for Branch B showing both the configuration required for both types of router.


Site A - Vigor 3900

Go to [VPN and Remote Access] > [VPN Profile] > [IPsec tab] then click Add to create a new VPN profile:

  1. Go to the Basic tab, check Enable in the VPN profile and give it a suitable name
  2. Enter the Local IP as a network address and select the correct Network Mask for your network. In this example, the Local IP is 192.168.1.0 and the Subnet Mask is 255.255.255.0
  3. Set the WAN IP of the remote site (in this example 200.200.200.200) in the Remote Host field
  4. Enter the Remote IP as the translated network address of the remote subnet. In this example, Branch B is being translated to 192.168.21.x so enter 192.168.21.0 and set the Subnet Mask as 255.255.255.0
  5. Set the Pre-Shared Key for the VPN


VPN_Translation_Branch1
Go to the Advanced tab in the VPN profile:

  1. Enable the Apply NAT Policy option
  2. In the Translated Local Network setting, which translates the Local IP range specified in the Basic settings tab, to the IP range specified here, for the purposes of VPN connectivity, enter the IP of 192.168.11.0 and select the Subnet Mask of 255.255.255.0


VPN_Translation_Branch2Click Apply to save and activate the VPN profile.


After completing above configurations the VPN Status would be shown on the Vigor 3900 router via [VPN and Remote Access] > [Connection Management]:

Click the Connect button to start the VPN if it has not already connected.

It should then show in the VPN Connection Status window, with the translated IP range shown:

A computer on the HQ site will now be able to communicate with computers on the branch site by sending requests to the translated IP Address. For example if 192.168.1.10 at Branch A wishes to ping 192.168.1.10 at Branch B they should ping 192.168.21.10. The PC at the Branch would see the request coming from 192.168.11.10 even though it’s really from another PC also on 192.168.1.10.

This can be tested by going to [Diagnostics] > [Ping / Trace Route] on the Vigor 3900 router and pinging 192.168.21.1 if the Branch B router's IP address is set to 192.168.1.1, this gets translated between the two networks so that no IP conflict between the two 192.168.1.x networks can occur.


How do you rate this article?

1 1 1 1 1 1 1 1 1 1