• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 778
  • Last Modified:

Connect to remote site through BOVPN tunnel between 2 Fireboxes (x550e and x750e) on same subnet

I have 2 sites that I am trying to connect via a BOVPN tunnel between our 2 Fireboxes with the same trusted internal networks.  Settings are:
Site A:
Firebox x750e Fireware 11.4.3
IP: 192.168.0.1
Network:  192.168.0.0/16

Site B:
Firebox x550e Fireware 11.4.3
IP:  192.168.0.2
Network:  192.168.0.0/16

Site A is our production environment and Site B is a Disaster Recovery Site.  The tunnel is primarily set up to allow our production SAN (192.168.7.50) to replicate to the DR SAN (192.168.7.51).  The replication is currently working locally but we are now moving it to the DR site.  We have a PC set up on the DR side (192.168.7.11), as well.  

I have configured the gateway and tunnel but the tunnel shows as inactive.  I have tried various configurations, including enabling the 1to1 NAT on the tunnel but still cannot get the 2 sides to communicate.  I know this is because of being the same internal network settings b/c if I reconfigure the DR to use 10.0.0.0/16, the tunnel works fine.  We need to have the same internal networking though.  

Any ideas?
0
Jackson_Campbell
Asked:
Jackson_Campbell
1 Solution
 
dpk_walCommented:
You cannot have same IP subnet on either side of the tunnel; period.

Now if it is not feasible to change IP subnet on one end we would configure NAT over IPSec, so say site would do source NAT over IPSec and send all packets out as 172.16.x.x/16; site B would not need to do any NAT and would see the incoming traffic always from IP 172.16.x.x. This case IMO still does not solve your initial need that you MUST have same IP subnets on both ends.

If you can do NAT over IPSec, you can very well change one site to 10.0.0.0/16 as you know already works.

Thank you.
0
 
Jackson_CampbellManager of Information SystemsAuthor Commented:
I have it worked out.  I set up 1to1 NAT on both sides of the tunnel.
SiteA:
Local - 192.168.0.0/16
Remote - 10.20.0.0/16
1to1 NAT - 10.10.0.0/16
SiteB:
Local - 192.168.0.0/16
Remote - 10.10.0.0/16
1to1 NAT - 10.20.0.0/16

I just have to reconfigure our replication settings so that our SAN on SiteA (192.168.7.50) communicates with the SAN on SiteB (192.168.7.51) using 10.20.7.51 and using 10.10.7.50 going the other way.  This solves our issue of needing to keep the subnets intact on both sides since just a simple replication configuration change is needed.

Thanks for the information!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now