BOVPN with same LAN Subnet

Hi,

We are currently working with another company that wants us to configure a BOVPN to communicate two servers. We encountered the problem, that their subnet is the same as one of the subnets used on our network.

Our Local Server: 10.0.9.17/32
Their Remote Server: 10.0.1.131/32 (we use that subnet on our network)

On the phase2 im configuring the local and remote as hosts and I've been looking into the NAT on the phase2, and was thinking on giving them our local server as 192.168.150.17/32 and their server as 192.168.250.131/32.

Would this work?

Is there anything else I need to do?

Do they have to do something on their end?

Thanks!

Comments

  • For the standard BOVPN setup, you specify the pubic IP addrs of the BOVPN endpoints in the Gateway setup, and specify the local & remote IPs/subnets in the BOVPN Tunnel settings.

    Look at the 1-to1 NAT BOVPN option.

    Configure 1-to-1 NAT Through a Branch Office VPN Tunnel
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_use_1to1_nat_c.html

  • Thanks, I've followed the manual you posted and it seems fine.

  • edited January 2022

    Hi, the tunnel is UP (both phases) but we cannot ping nor stablish any communication. I spent so much time looking at this and Im getting a bit stuck right now.

    I leave some screenshots of the configuration I made

    Configuration:
    REDACTED

    Can you see anything wrong on our end? On the other end theres a Fortigate I have no access to.

    Thanks!

  • Is the Fortinet end also doing 1-to-1 NAT on their tunnel setup?
    It needs to for this to work.

  • Also:
    . you need 2 BOVPN policies
    - one for outgoing sessions - from your real IP addr to their NATed IP addr
    - one for incoming sessions - from their NATed IP addr to your real IP addr
    . turn on Logging on these policies so that you can see any traffic allowed by them in Traffic Monitor

  • @Bruce_Briggs said:
    Is the Fortinet end also doing 1-to-1 NAT on their tunnel setup?
    It needs to for this to work.

    Yes, they told me that they are doing a NAT on their end.

    @Bruce_Briggs said:
    Also:
    . you need 2 BOVPN policies
    - one for outgoing sessions - from your real IP addr to their NATed IP addr
    - one for incoming sessions - from their NATed IP addr to your real IP addr
    . turn on Logging on these policies so that you can see any traffic allowed by them in Traffic Monitor

    I have two policies created as you can see on the pictures, one for outgoing, from my real IP address to the tunnel and one from the tunnel to my real IP address

    On the traffic monitor and can see the traffic being accepted

    2022-01-27 22:18:08 Member1 Allow 10.0.9.17 192.168.250.131 icmp Trusted tunnel.REMOTE Allowed 92 15 (Ping-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="192.168.150.17"

    But still the ping is not working.

    Im totally stuck with this, tried everything but it doesnt work. Im just wanna be sure that I have everything setup correctly before saying it to all the parties involved.

    Thanks!

  • You 1st said:
    Our Local Server: 192.168.5.17/32

    However, your Tunnel route has: 10.0.9.7

    ???

  • @Bruce_Briggs said:
    You 1st said:
    Our Local Server: 192.168.5.17/32

    However, your Tunnel route has: 10.0.9.7

    ???

    My mistake... Edited the first post clarifying everything.

    Local server: 10.0.9.17/32
    Remote server: 10.0.1.131/32

    NAT Local server: 192.168.150.17
    NAT Remote server: 192.168.250.131/32

    Also, you can see the screenshots what the configuration is.

    Sorre for the confusion.

    Thanks!

  • Verify that the other end has the correct IP addrs, in case of typos sent to them.

    Make sure that the other end is doing 1-to-1 NAT, not just 1 way NAT.

    Ask them for what they see in their logs for packets from your end.

  • @Bruce_Briggs said:
    Verify that the other end has the correct IP addrs, in case of typos sent to them.

    Make sure that the other end is doing 1-to-1 NAT, not just 1 way NAT.

    Ask them for what they see in their logs for packets from your end.

    They told me that they dont see anything on their logs, that they see their traffic leave their Fortigate, but nothing comming in. I also oppened a support ticket with Watchguard to see if they can help.

    Do I have to create anything else other than the BOVPN and the two policies?

    Do you see everything correct on my end?

    Thanks!

  • Hi Bruce,

    Everything is working now. I had to create an Alias for the nated IP and add it to the policie.

    Thanks for the help.

Sign In to comment.