IPsec Site-to-Site using PC 2nd IP Address

Working to establish IPsec Site-to-Site VPN, the local network is 192.168.0.x behind a Cisco RV130W and far end has a Cisco NSA 2600 and also has a pre-existing VPN with the 192.168.0.x subnet. The tunnel needs to support a single host on each end.

Is it possible to assign a 2nd IP Address to the PC in my network, say 10.10.20.2, and use this for the VPN?
Cavett OtisIT/PACS ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I do not think so. This is an long standing evergreen question in EE. You need to change the subnet at one end. I have walked in these shoes, do this and have similar RVxx VPN routers as you do.
nociSoftware EngineerCommented:
Not easy and it will haunt you (transport mode tunnel, and nat, etc etc.).
The result would be mediocre as well as RPC and likewise protocols will allways give trouble.

So best would be to change one side of the connections.
N. SpearsSr.Net.EngCommented:
Are you talking about 1 pc on each end or 1 pc on one end. What is the PC use for?
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

Benjamin Van DitmarsSr Network EngineerCommented:
If you have one host remote, just nat on the vpn tunnel. we do nat on every vpn. and it works without any problem.
N. SpearsSr.Net.EngCommented:
Exactly @Benjamin. I was going to lead to the same thing. This is done all the time. Overlapping rfc1918 space is just a too common of an occurrence these days.
Benjamin Van DitmarsSr Network EngineerCommented:
Thanx Soulja, changing a network is just the easy awnser, but you cant tell youre customer to renumber it's network. i hope the RV series can nat on the vpn, i have no experience with this kind of small business devices. the sonicwall can. i will look if i can find some doc.
N. SpearsSr.Net.EngCommented:
I agree Benjamin. The hundreds of implementations I have done peering costumers with Service Providers, I have never seen an instance where a customer re-addressed their environment in order to peer with or access remote resources.
Benjamin Van DitmarsSr Network EngineerCommented:
This is wat you have to build. to get this working,
ipsec-nat.png
if side a want to connect tot side b connect to 10.0.2.x (one to one nat 192.168.1.0/24 to 10.0.1.0/24)
and the other way they connect to 10.0.1.x (one to one nat 192.168.1.0/24 to 10.0.1.0/24)
N. SpearsSr.Net.EngCommented:
@Benjamin

In this situation, I wouldn't even do the entire /24. Since he only wants 1 pc. I would just present a /32. That's why I asked if its "one pc on each end or 1 pc on each end".  If 1pc on one end present a natted /24 on side  and /32 for the pc on other side. If 1pc on each side present a /32 from each side.
Benjamin Van DitmarsSr Network EngineerCommented:
@Soulja, it was just an example to make it clear to the owner how it looks in a diagram.
now we have to wait if he want's to do this. when he wants to then we can help him with the configuration.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.