IPsec Site-to-Site using PC 2nd IP Address

Cavett Otis
Cavett Otis used Ask the Experts™
on
Working to establish IPsec Site-to-Site VPN, the local network is 192.168.0.x behind a Cisco RV130W and far end has a Cisco NSA 2600 and also has a pre-existing VPN with the 192.168.0.x subnet. The tunnel needs to support a single host on each end.

Is it possible to assign a 2nd IP Address to the PC in my network, say 10.10.20.2, and use this for the VPN?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I do not think so. This is an long standing evergreen question in EE. You need to change the subnet at one end. I have walked in these shoes, do this and have similar RVxx VPN routers as you do.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Not easy and it will haunt you (transport mode tunnel, and nat, etc etc.).
The result would be mediocre as well as RPC and likewise protocols will allways give trouble.

So best would be to change one side of the connections.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Are you talking about 1 pc on each end or 1 pc on one end. What is the PC use for?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
If you have one host remote, just nat on the vpn tunnel. we do nat on every vpn. and it works without any problem.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Exactly @Benjamin. I was going to lead to the same thing. This is done all the time. Overlapping rfc1918 space is just a too common of an occurrence these days.

Commented:
Thanx Soulja, changing a network is just the easy awnser, but you cant tell youre customer to renumber it's network. i hope the RV series can nat on the vpn, i have no experience with this kind of small business devices. the sonicwall can. i will look if i can find some doc.
SouljaSr.Net.Eng
Top Expert 2011

Commented:
I agree Benjamin. The hundreds of implementations I have done peering costumers with Service Providers, I have never seen an instance where a customer re-addressed their environment in order to peer with or access remote resources.

Commented:
This is wat you have to build. to get this working,
ipsec-nat.png
if side a want to connect tot side b connect to 10.0.2.x (one to one nat 192.168.1.0/24 to 10.0.1.0/24)
and the other way they connect to 10.0.1.x (one to one nat 192.168.1.0/24 to 10.0.1.0/24)
SouljaSr.Net.Eng
Top Expert 2011

Commented:
@Benjamin

In this situation, I wouldn't even do the entire /24. Since he only wants 1 pc. I would just present a /32. That's why I asked if its "one pc on each end or 1 pc on each end".  If 1pc on one end present a natted /24 on side  and /32 for the pc on other side. If 1pc on each side present a /32 from each side.

Commented:
@Soulja, it was just an example to make it clear to the owner how it looks in a diagram.
now we have to wait if he want's to do this. when he wants to then we can help him with the configuration.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial