Overlapping destination subnets over IPSEC

Miroslaw_Iwanowski — Sun, 20 Dec 2020 19:52:09 GMT

Hello,

I have following scenario. I have a two IPSEC connections to Oracle Cloud. The destination IP range is the same on both networks.

IPSEC A - dest IP range 10.1.6.0/24, security zone Oracle1

IPSEC B - dest IP range 10.1.6.0/24, security zone Oracle 2

LAN - 192.168.0.1/24

Static routing:

10.1.6.0/24 to IPSECA

10.1.7.0/24 to IPSECB

I have created a:

DNAT - from LAN to Oracle2, static DNAT - 10.1.6.0/24

SNAT - from Oracle2 to LAN, static SNAT - 10.1.7.0/24

Users will open for example 10.1.7.1 and it should be directed to IPSECB and NAT should change destination address to 10.1.6.1.

The problem I am facing is that PA does routing twice pre and post NAT. Post NAT routing directs pocket to IPSECA as the destination address is already NATed to 10.1.6.1.

Is there a way to make it working correctly? I cannot do any changes on Oracle side - I only control my PA.

Re: Overlapping destination subnets over IPSEC

SutareMayur — Mon, 21 Dec 2020 09:08:36 GMT

Hi @Miroslaw_Iwanowski ,

Here for IPSEC-A as well as IPSEC-B (post DNAT), the destination is going to be from 10.1.6.x so anyhow it is going to match the static route which will have lowest matric. And in your case, it seems to be IPSEC-A tunnel interface. So in both cases, it will match IPSEC-A tunnel interface and firewall will forward traffic accordingly. Also it seems you have same set of source segment who need access to those resources otherwise PBF would be the option in case you have different source IP addresses accessing same destinations.

topic Re: Overlapping destination subnets over IPSEC in General Topics

Overlapping destination subnets over IPSEC

Re: Overlapping destination subnets over IPSEC