Jump to content
  • EN

Overlapping subnets with IPsec solution: Difference between revisions

From Teltonika Networks Wiki
← Older edit
VisualWikitext
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
<p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.17.4'''] firmware version.</p>
==Introduction==
==Introduction==
This article provides an extensive configuration example with details on how to solve overlapping subnets when using IPsec.
This article provides an extensive configuration example with details on how to configure Ipsec with overlapping subnets.


==Configuration overview and prerequisites==
==Configuration overview and prerequisites==
'''Prerequisites:'''
'''Prerequisites:'''
*Two RUTxxx routers of any type (excluding RUT850)
*Two RUTxxx routers of any type.
*A SIM card with a Public Static or Public Dynamic IP address for the IPsec server
*A SIM card with a Public Static or Public Dynamic IP address for the IPsec server.
*An end device (PC, Laptop, Tablet, Smartphone) to configure the routers
*An end device (PC, Laptop, Tablet, Smartphone) to configure the  
*Installing package via '''[https://wiki.teltonika-networks.com/view/RUT241_Package_Manager package manager]''' on both devices: '''IPtables NAT extra'''
 
 
----
----
'''Configuration scheme''':
'''Configuration scheme''':
Line 17: Line 22:
===Basic tunnel===
===Basic tunnel===
----
----
First of, lets configure a simple connection between two IPsec instances, i.e., RUT1 and RUT2.
First of all, let’s configure a simple connection between two IPsec instances, i.e., RUT1 and RUT2.


====RUT1 configuration====
====RUT1 configuration====
----
----
[[File:IPsec1 config.png|border|class=tlt-border|700x700px]]
[[File:Ipsec_Over_1.png|border|class=tlt-border]]
[[File:Ipsec2_config.png|border|class=tlt-border|700x700px]]
[[File:Ipsec_Over_2.png|border|class=tlt-border]]
#'''Enable''' instance.
#'''Enable''' instance.
#'''Remote endpoint''' (Only one side of IPsec needs to have it configured)
#'''Remote endpoint''' (Only one side of IPsec needs to have it configured)
#Write '''Pre shared key'''(a shared password used for authentication between the peers. The value of this field must match on both instances).
#Enter the '''Pre shared key'''(a shared password used for authentication between the peers. The value of this field must match on both instances).
#Select '''Type''' to tunnel
#Select tunnel '''Type'''
#Write '''Local subnet '''(an IP address/Subnet mask of the router on which the IPsec instance is configured).
#Enter '''Local subnet '''(an IP address/Subnet mask of the router on which the IPsec instance is configured).
#Write '''Remote subnet '''
#Enter '''Remote subnet '''


====RUT2 configuration====
====RUT2 configuration====
----
----
[[File:Ipsec3 config Overlapping subnets solution example .png|border|class=tlt-border|700x700px]]
[[File:Ipsec_Over_3.png|border|class=tlt-border]]
[[File:Ipsec4 config Overlapping subnets solution example .png|border|class=tlt-border|700x700px]]
[[File:Ipsec_Over_4.png|border|class=tlt-border]]
#'''Enable''' instance.
#'''Enable''' instance.
#Add '''Remote endpoint'''
#Enter '''Remote endpoint'''
#Write '''Pre shared key''' (a shared password used for authentication between the peers. The value of this field must match on both instances).
#Enter '''Pre shared key''' (a shared password used for authentication between the peers. The value of this field must match on both instances).
#Select '''Type''' to tunnel
#Select tunnel '''Type'''  
#Write '''Local subnet '''(an IP address/Subnet mask of the router on which the IPsec instance is configured).
#Enter '''Local subnet '''(an IP address/Subnet mask of the router on which the IPsec instance is configured).
#Write '''Remote subnet '''
#Enter '''Remote subnet '''


====Check IPsec tunnel status====
====Check IPsec tunnel status====
----
----
If you've followed all the steps presented above, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. This can be verified by running '''ipsec status''' command in RUT CLI, you should see tunnel being installed between virtual networks:
If you’ve followed all the steps above, your configuration should be complete. However, as with any configuration, it is wise to test the setup to ensure it works properly. This can be verified by running '''swanctl --list-sas''' command in RUT CLI, you should see tunnel between virtual networks:


<pre>root@Teltonika-RUTX12:~# ipsec status
<pre>root@RUT1:~# swanctl --list-sas
Security Associations (1 up, 0 connecting):
Server: #7, ESTABLISHED, IKEv1, da0c8d300529bd5a_i 812482f852fb55b7_r*                                                                               
ipsec-ipsec_c[1]: ESTABLISHED 32 MINUTES AGO, 192.168.2.124[192.168.2.124]...192.168.2.145[192.168.2.145]
  local  '192.168.2.124' @ 192.168.2.124[500]                                                                                                      
ipsec-ipsec_c{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca6d4767_i c3f5534b_o
  remote '192.168.2.145' @ 192.168.2.145[500]                                                                                                        
ipsec-ipsec_c{1}:  192.168.3.0/24 === 192.168.4.0/24</pre>
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536                                                                                                   
  established 2409s ago, rekeying in 11816s                                                                                                         
  Server_c: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_1536                                                                   
    installed 2408s ago, rekeying in 1017s, expires in 1555s                                                                                         
    in  c0795e33,      0 bytes,    0 packets                                                                                                       
    out c7a0bca0,      0 bytes,    0 packets                                                                                                       
    local  192.168.3.0/24                                                                                                                            
    remote 192.168.4.0/24   </pre>


===Firewall configuration===
===Firewall configuration===
After establishing IPsec tunnel it's necessary to map LAN network IP addresses to virtual IPsec network addresses,  for this we'll use iptables NETMAP target. Insert these '''IPtables rules into WebUI -> Network -> Firewall -> Custom rules'''.
After establishing IPsec tunnel it's necessary to map LAN network IP addresses to virtual IPsec network addresses,  for this we'll use iptables NETMAP target. Insert these IPtables rules into '''WebUI -> Network -> Firewall -> Custom rules'''.


[[File:Custom rules for overlapping subnets.png|border|class=tlt-border|1100x1100px]]
====RUT1 Firewall configuration====
====RUT1 Firewall configuration====
----
----
<pre>iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.4.0/24 -j NETMAP --to 192.168.3.0/24
<pre>iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.4.0/24 -j NETMAP --to 192.168.3.0/24
iptables -t nat -I PREROUTING -s 192.168.4.0/24 -j NETMAP --to 192.168.1.0/24</pre>
iptables -t nat -I PREROUTING -s 192.168.4.0/24 -j NETMAP --to 192.168.1.0/24</pre>
[[File:Ipsec_Over_5.png|border|class=tlt-border]]


====RUT2 Firewall configuration====
====RUT2 Firewall configuration====
Line 65: Line 78:
iptables -t nat -I PREROUTING -s 192.168.3.0/24 -j NETMAP --to 192.168.1.0/24</pre>
iptables -t nat -I PREROUTING -s 192.168.3.0/24 -j NETMAP --to 192.168.1.0/24</pre>


'''POSTROUTING''' rule checks if outgoing packet destination IP belongs to remote IPsec virtual IP range, if yes, it will change packet source IP from LAN IP to virtual IPsec IP.
[[File:Ipsec_Over_6.png|border|class=tlt-border]]
'''PREROUTING''' rule checks if incoming packet source IP belongs to remote IPsec virtual IP range, if yes, it will change incoming packet destination IP from virtual IPsec IP to LAN IP.
 
===Routing configuration===
----
To reach virtual addresses routes should be configured under '''WebUI -> Network -> Routing -> Policy Based Routing'''.


Now LAN to LAN communication should be possible between end devices but to enable RUT to RUT communication additionally it'll be needed to install route on each device.
Aplly configuration to the devices that virutal addresses would be reachable form LAN:


===Routing update===
=====RUT1 Routing Configuration=====
----
----
To have permanent static route navigate to '''WebUI -> Network -> Routing -> Advanced static routes'''.
Add new instance:
Add new routing table and insert static route where:
 
* '''Interface''' is LAN
# Enter ID: '''123'''
* '''Target''' is remote IPsec virtual network
# Enter New configuration name: '''Ipsec'''
* '''Gateway''' is LAN IP
[[File:Ipsec_Over_7.png|border|class=tlt-border|center]]
[[File:Table route overlapping subnets solution example.png|border|class=tlt-border|1100x1100px]]
Then create IP rule and specify lookup table.


[[File:Routing rule overlapping subnets solution example.png|border|class=tlt-border|700x700px]]
click [[File:Add Button.png|40x70px]] in the new window make following changes:
 
=====Static IPv4 Routes=====
----
click [[File:Add Button.png|40x70px]] and apply this to the route:
#Select Interface: '''lan''' | Enter Target: '''192.168.4.0''' | Enter IPv4-Netmask: '''255.255.255.0''' | Enter IPv4-Gateway: '''192.168.1.1'''
[[File:Ipsec_Over_8.png|border|class=tlt-border|center|1000x300px]]
 
====Routing Rules for IPv4====
----
By clicking [[File:Add Button.png|40x70px]] create rule under '''Routing Rules for IPv4''' tab apply these changes to the rules:
=====RUT1 Policy Rule=====
----
# Enter Priority: '''1'''
# Lookup Table: '''Ipsec (123)'''
 
[[File:Ipsec_Over_9.png|border|class=tlt-border|center|1000x800px]]
 
=====RUT2 Routing Configuration=====
----
Add new instance:
 
# Enter ID: '''123'''
# Enter New configuration name: '''Ipsec'''
[[File:Ipsec_Over_7.png|border|class=tlt-border|center]]
 
click [[File:Add Button.png|40x70px]] in the new window make following changes:
 
=====Static IPv4 Routes=====
----
click [[File:Add Button.png|40x70px]] and apply this to the route:
#Select Interface: '''lan''' | Enter Target: '''192.168.3.0''' | Enter IPv4-Netmask: '''255.255.255.0''' | Enter IPv4-Gateway: '''192.168.1.1'''
[[File:Ipsec_Over_10.png|border|class=tlt-border|center|1000x300px]]
 
====Routing Rules for IPv4====
----
By clicking [[File:Add Button.png|40x70px]] create rule under '''Routing Rules for IPv4''' tab apply these changes to the rules:
=====RUT2 Policy Rule=====
----
# Enter Priority: '''1'''
# Lookup Table: '''Ipsec (123)'''
 
[[File:Ipsec_Over_9.png|border|class=tlt-border|center|1000x800px]]
 
===Connectivity testing===
----
Sending ping requests from the LAN to the virtual addresses
 
====RUT1====
----
[[File:Ipsec_Over_11.png|border|class=tlt-border|center]]
 
====RUT2====
----
[[File:Ipsec_Over_12.png|border|class=tlt-border|center]]
[[Category:VPN]]

Latest revision as of 11:51, 5 November 2025

Main Page > General Information > Configuration Examples > VPN > Overlapping subnets with IPsec solution

The information on this page is updated in accordance with the 00.07.17.4 firmware version.

Introduction

This article provides an extensive configuration example with details on how to configure Ipsec with overlapping subnets.

Configuration overview and prerequisites

Prerequisites:

  • Two RUTxxx routers of any type.
  • A SIM card with a Public Static or Public Dynamic IP address for the IPsec server.
  • An end device (PC, Laptop, Tablet, Smartphone) to configure the
  • Installing package via package manager on both devices: IPtables NAT extra


Configuration scheme:

Router configuration

If you have familiarized yourself with the configuration scheme and have all of the devices in order, we can start configuring the routers using instructions provided in this section.

Basic tunnel

First of all, let’s configure a simple connection between two IPsec instances, i.e., RUT1 and RUT2.

RUT1 configuration

  1. Enable instance.
  2. Remote endpoint (Only one side of IPsec needs to have it configured)
  3. Enter the Pre shared key(a shared password used for authentication between the peers. The value of this field must match on both instances).
  4. Select tunnel Type
  5. Enter Local subnet (an IP address/Subnet mask of the router on which the IPsec instance is configured).
  6. Enter Remote subnet

RUT2 configuration

  1. Enable instance.
  2. Enter Remote endpoint
  3. Enter Pre shared key (a shared password used for authentication between the peers. The value of this field must match on both instances).
  4. Select tunnel Type
  5. Enter Local subnet (an IP address/Subnet mask of the router on which the IPsec instance is configured).
  6. Enter Remote subnet

Check IPsec tunnel status

If you’ve followed all the steps above, your configuration should be complete. However, as with any configuration, it is wise to test the setup to ensure it works properly. This can be verified by running swanctl --list-sas command in RUT CLI, you should see tunnel between virtual networks: 

root@RUT1:~# swanctl --list-sas 
Server: #7, ESTABLISHED, IKEv1, da0c8d300529bd5a_i 812482f852fb55b7_r*                                                                                 
  local  '192.168.2.124' @ 192.168.2.124[500]                                                                                                        
  remote '192.168.2.145' @ 192.168.2.145[500]                                                                                                         
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536                                                                                                    
  established 2409s ago, rekeying in 11816s                                                                                                           
  Server_c: #2, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_1536                                                                     
    installed 2408s ago, rekeying in 1017s, expires in 1555s                                                                                          
    in  c0795e33,      0 bytes,     0 packets                                                                                                        
    out c7a0bca0,      0 bytes,     0 packets                                                                                                         
    local  192.168.3.0/24                                                                                                                             
    remote 192.168.4.0/24

Firewall configuration

After establishing IPsec tunnel it's necessary to map LAN network IP addresses to virtual IPsec network addresses, for this we'll use iptables NETMAP target. Insert these IPtables rules into WebUI -> Network -> Firewall -> Custom rules.

RUT1 Firewall configuration

iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.4.0/24 -j NETMAP --to 192.168.3.0/24
iptables -t nat -I PREROUTING -s 192.168.4.0/24 -j NETMAP --to 192.168.1.0/24

RUT2 Firewall configuration

iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.3.0/24 -j NETMAP --to 192.168.4.0/24
iptables -t nat -I PREROUTING -s 192.168.3.0/24 -j NETMAP --to 192.168.1.0/24

Routing configuration

To reach virtual addresses routes should be configured under WebUI -> Network -> Routing -> Policy Based Routing.

Aplly configuration to the devices that virutal addresses would be reachable form LAN:

RUT1 Routing Configuration

Add new instance:

  1. Enter ID: 123
  2. Enter New configuration name: Ipsec

click in the new window make following changes:

Static IPv4 Routes

click and apply this to the route:

  1. Select Interface: lan | Enter Target: 192.168.4.0 | Enter IPv4-Netmask: 255.255.255.0 | Enter IPv4-Gateway: 192.168.1.1

Routing Rules for IPv4

By clicking create rule under Routing Rules for IPv4 tab apply these changes to the rules:

RUT1 Policy Rule
  1. Enter Priority: 1
  2. Lookup Table: Ipsec (123)
RUT2 Routing Configuration

Add new instance:

  1. Enter ID: 123
  2. Enter New configuration name: Ipsec

click in the new window make following changes:

Static IPv4 Routes

click and apply this to the route:

  1. Select Interface: lan | Enter Target: 192.168.3.0 | Enter IPv4-Netmask: 255.255.255.0 | Enter IPv4-Gateway: 192.168.1.1

Routing Rules for IPv4

By clicking create rule under Routing Rules for IPv4 tab apply these changes to the rules:

RUT2 Policy Rule
  1. Enter Priority: 1
  2. Lookup Table: Ipsec (123)

Connectivity testing

Sending ping requests from the LAN to the virtual addresses

RUT1

RUT2

Retrieved from "https://wiki.teltonika-networks.com/index.php?title=Overlapping_subnets_with_IPsec_solution&oldid=160618"