Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 1830 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Overlapping subnet in 2 IPSEC VPN

Tushar Jain

HI Team,

I have VPNs to 2 different site, the other end is not using Sophos but Meraki & ASA

My issue is for first site the remote subnet is 10.0.0.0/8 and for other one - 10.216.30.0/23 & 10.216.33.0/24 

And it causing overlapping of subnets. packets are not being delivered to 10.216.30.0/23 subnet though sophos should check for longest prefix match 

Is there a solution to send the traffic for 10.216.30.0/23 & 10.216.33.0/24 to second VPN instead of first one

Regards

TJ



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    You would have to configure NAT on both sides for the overlapping networks.

    Check out the following KBA for more info: Sophos UTM: How to tunnel between two UTMs which use the same LAN network range.

    Thanks,

  • 0

    As H_patel wrote you can only solve this with NAT. It's not the firewall that "should" check the longest prefix match; it's the workstation that thinks 10.216.30.0 is in it's own subnet hence the local computer will never deliver the package to the router but will only broadcast an WHO HAS 10.216.30.x on the local network.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0

    Hi TJ and welcome to the UTM Community!

    The real problem here is that one should NEVER use 10.0.0.0/8 and rarely subnets therein.  My usual recommendation is for internal subnets to be in the 172.16.0.0/12 range.  Reserve 192.168.0.0/16 for public hotspots and home users.  Reserve anything in 10.0.0.0/8 for giant multinationals, ISPs, etc.  UTM uses 10.242.[1-5].0/24 by default for VPN Pools.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML