Configuring Overlapping Networks with Network Mapped IPsec

The Scenario

This document illustrates an example solution to a specific use case. In this AWS use case, a customer needs to connect certain on-prem hosts to certain EC2 instances in a VPC over an IPsec tunnel over the Internet, but the on-prem network range overlaps with the VPC CIDR range, and the requirement from the customer is that no NAT function will be performed on the customer side. In addition, traffic can be initiated from either side.

The scenario is described in the following diagram:

VPC       CIDR =, instance-1 in VPC-1 has an IP address
On-Prem   CIDR =, host-1 in On-Prem has an IP address

The traditional solution is to build an IPsec tunnel between the two networks and use SNAT/DNAT rules to translate each addresses, as demonstrated in this example. Such a solution requires a potentially large number of SNAT/DNAT rules which is difficult to configure and maintain.

The Solution

This solution uses the "network mapped" feature in Site2Cloud which removes the need to configure individual SNAT/DNAT rules.

This solution uses a Site2Cloud route-based IPsec tunnel using Virtual Tunnel Interface (VTI) between VPC and On-Prem Router. The packet flow is demonstrated as below:

  1. instance-1 sends a packet to host-1 with a virtual destination IP address, for example From instance-1’s point of view, the destination instance is a virtual address -

  2. When the packet arrives at the VPC-1 gateway, the gateway performs DNAT on the packet to translate the virtual destination IP address to which is the host-1 physical IP address.

  3. The gateway at VPC then translates the packet source IP address ( to a virtual source IP address (

  4. The packet then arrives at the on-prem Cisco IOS Router with a destination IP address of and a source IP address of From host-1’s point of view, instance-1’s address is a virtual IP address -

  5. When host-1 sends a packet to instance-1, the destination is the virtual IP address

  6. When the packet arrives at the VPC-1 gateway over the IPSEC tunnel, the VPC gateway translates its destination IP address from virtual address to

  7. The VPC gateway then translates the source IP address of the packet from to virtual address

The Configuration Steps

Following the Site2Cloud Workflow to Launch Gateways

In Aviatrix CoPilot, create a Transit Gateway.

For the above example, a gateway is also launched in VPC/VNet-2 to emulate an on-prem environment.

Creating a Site2Cloud Tunnel

  1. In CoPilot, go to Networking > Connectivity > External Connections (S2C) and create one of these Mapped connections:

VPC/VNet-1 gateway-1 side

For the VPC/VNet-1 gateway side, the Local Subnet field should be, and the Remote Subnet field should be, as shown below.


Configure On-Prem Cisco Router

  1. On the Networking > Connectivity > External Connections (S2C) tab, click the vertical ellipsis 25 and click Download Configuration.

  2. In the Download Configuration dialog, select:

    • Cisco from the Vendor dropdown.

    • ISR, ASR, or CSR from the Platform dropdown.

    • IOS(XE) from the Software dropdown.

  3. Click Download.

  4. Save the configuration file as a reference for configuring your Cisco IOS router.

    The following is a sample configuration based on the Site2Cloud configuration above.

  5. Either ssh into the Cisco router or connect to it directly through its console port.

  6. Apply the following IOS configuration to your router:

    ! Aviatrix Site2Cloud configuration template
    ! You need to populate these values throughout the config based on your setup:
    ! <isakmp_policy_number1>: the isakmp policy number
    ! <tunnel_number1>: the IPsec tunnel interface number
    ! <ios_wan_interface1>: the source interface of tunnel packets
    ! <customer_tunnel_ip1>: any un-used IPv4 address for the tunnel interface
    !                        when static routing is used
    ! --------------------------------------------------------------------------------
    ! IPsec Tunnel
    ! --------------------------------------------------------------------------------
    ! #1: Internet Key Exchange (IKE) Configuration
    ! A policy is established for the supported ISAKMP encryption,
    ! authentication, Diffie-Hellman, lifetime, and key parameters.
    crypto keyring
      pre-shared-key address key <key>
    crypto isakmp policy 1
     encryption aes 256
     hash sha256
     authentication pre-share
     group 14
     lifetime 28800
    crypto isakmp keepalive 10 3 periodic
    crypto isakmp profile
       self-identity address
       match identity address
    ! #2: IPsec Configuration
    ! The IPsec transform set defines the encryption, authentication, and IPsec
    ! mode parameters.
    crypto ipsec transform-set esp-aes 256 esp-sha256-hmac
     mode tunnel
    crypto ipsec df-bit clear
    crypto ipsec profile
     set security-association lifetime seconds 3600
     set transform-set
     set pfs group14
     set isakmp-profile
    ! #3: Tunnel Interface Configuration
    ! The virtual tunnel interface is used to communicate with the remote IPsec endpoint
    ! to establish the IPsec tunnel.
    interface Tunnel1
     ip address
     ip mtu 1436
     ip tcp adjust-mss 1387
     tunnel source GigabitEthernet1
     tunnel mode ipsec ipv4
     tunnel destination
     tunnel protection ipsec profile
     ip virtual-reassembly
    ! #4: Static Routing Configuration
    ! The static route directs the traffic to the Aviatrix remote subnets via the tunnel
    ! interface.
    ip route Tunnel1
  7. You can check the Tunnel Status at Diagnostics > Cloud Routes > External Connections.

Testing the Site2Cloud Connection

Make sure your instance’s Security Groups inbound rules are configured properly.

From instance-1, you should be able to ping host-1 by "ping". From host-1, you should be able to ping instance-1 by "ping"