IPsec Tunnel between two Vigor Routers with the same IP subnet
Assuming Vigor2925 A is in the head office and Vigor2925 B in the branch office, and they have the same LAN network 192.168.1.0/255.255.255.0. Now, network Administrator wants to create a IPsec LAN to LAN VPN between the two offices but doesn't want to change the local network settings. The examples below will show you how to use the IPsec Same Subnet feature to achieve this purpose.
(For Vigor3900 and Vigor2960, please refer to the article here)
Configuring Vigor2925 A in Head Office
1. Go to VPN and Remote Access >> LAN to LAN >> Profile Index 1, then configure Common Settings:
- Check Enable this profile.
- Select Dial-In for Call Direction.
- Input 0 for Idle Timeout. (0 means no idle timeout so server won't disconnect the VPN tunnel even when there is no packet passing.)
2. Configure Dial-In Settings as follows:
- Select only IPsec Tunnel for Allowed Dial-in Type.
- Select Specify Remote VPN Gateway then input Peer ID as branch1. (The Peer ID should be the same as the Local ID configured on the Vigor2925 B in the branch office)
- Click IKE Pre-Shared Key button then input the Pre-Shared Key
3. Configure TCP/IP Network Settings. Since the Vigor2925 in the two offices are using the same LAN network 192.168.1.0/ 255.255.255.0, to create a IPsec VPN connection we need to translate the local network in head office into 192.168.129.0/ 255.255.255.0 and the local network in the branch office into 192.168.11.0/ 255.255.255.0.
- Enable IPsec VPN with the Same Subnets option.
- Select Whole Subnet for the Translated Type.
(Note: "Whole Subnet" means Vigor2925 will translate whole network IP Address automatically. For example, Local IP 188.8.131.52 will be translated to 192.168.11.10, local IP 192.168.1.11 will be translated to 192.168.11.11, and so on. "Specific IP Address" means Vigor2925 will only translate the specific IP Address that Network Administrator manually added in Virtual IP Mapping table.)
- Input Remote Network IP as 192.168.11.0 (It is the Translated Network IP of the Vigor2925 B in the branch office)
- Input 192.168.129.0 as the Translated Local Network IP.
- Apply the settings.
Configuring the Vigor2925 B in Branch Office
1. Go to VPN and Remote Access >> LAN to LAN >>Profile Index 1, then configure Common Settings:
- Check Enable this profile.
- Select Dial-Out for Call Direction.
- Check Always on.
- Select a WAN for VPN Dial-Out Through.
2. Configure Dial-Out Settings:
- Select IPsec Tunnel for the type of Server I am calling.
- Input VPN Server IP (It is the WAN IP of the Vigor2925 in the head office)
- Click IKE Pre-Shared Key button then input the Key.
- Select High(ESP) for IPsec Security Method.
- Click Advanced button.
- Check Aggressive mode in IKE advanced settings.
- Input Local ID as branch1. (It should be the same as Peer ID settings in Vigor2925 A.)
3. Configure TCP/IP Network Settings:
- Check to enable option IPsec with the Same Subnets
- Select "Whole Subnet" for the Translated Type
- Input Remote Network IP as 192.168.129.0 (It should be the Translated Local Network IP on the Vigor2925 A in the head office.)
- Input the Translated Local Network IP as 192.168.11.0.
- Click OK to apply the VPN settings.
4. After completing above configurations, Network Administrator could check the VPN Status viaVPN and Remote Access >> Connection Management.
5. Computer with IP 192.168.1.10 behind Vigor2925 B in the branch office can ping IP 192.168.129.10, which is the computer in the head office and its real IP is 192.168.1.10.