Forwarded Original Thread to here.
In v1.7, an overlap in the remote and local prefixes in an IPSec tunnel worked fine but it appears a bug (or new feature) starting with v1.8 and continuing with v1.8.5 will not allow connectivity to the local subnet if that subnet is within the supernet across the tunnel.
We have many clients who need to forward all traffic across the tunnel (ie. remote prefix = 0.0.0.0/0). You can't key quad 0 into the gui but it worked fine in v1.7 if configured from the CLI (and works with Cisco and other vendors). But forget that for now. Starting with v1.8, if the remote prefix overlaps the local prefix, the smaller site loses connectivity to its local networks. For example:
- Main site has many 172.16.x.0/24 networks.
- "Remote" sites have a single 172.16.x.0/24 network
- Configuration at the "remote" site with reverse at main site
- set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local prefix 172.16.220.0/24
- set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote prefix 172.16.0.0/16
As soon as the VPN is configured, the remote site's router can no longer send traffic to its local LAN. For testing, if the remote prefix (and matching local prefix on the main site router) are changed to a single /24 network, connectivity across the VPN works and local connectivity at the remote site works.
While the configuration of our production VPNs are more complex than the gui allows, for testing purposes, we created the simplest configuration within the gui and verified the above. Following is a simple configuration for the "remote" site. Configuration for the main site is identical (with interfaces, adresses and prefixes swapped). Also, there is no NAT and firewalls have been disabled.
set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0.52
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer 10.253.4.226 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 10.253.4.226 authentication pre-shared-secret *******************
set vpn ipsec site-to-site peer 10.253.4.226 connection-type initiate
set vpn ipsec site-to-site peer 10.253.4.226 description hosp-test
set vpn ipsec site-to-site peer 10.253.4.226 ike-group FOO0
set vpn ipsec site-to-site peer 10.253.4.226 ikev2-reauth inherit
set vpn ipsec site-to-site peer 10.253.4.226 local-address 10.253.12.53
set vpn ipsec site-to-site peer 10.253.4.226 tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 10.253.4.226 tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer 10.253.4.226 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 10.253.4.226 tunnel 1 local prefix 172.16.220.0/24
set vpn ipsec site-to-site peer 10.253.4.226 tunnel 1 remote prefix 172.16.0.0/16