Connect Networks With Overlapping CIDRs

The Scenario

This tech note illustrates an example solution to a specific use case. In this use case, a customer needs to connect certain on-prem hosts to certain virtual machine (EC2/GCE) instances in a VPC/VNet over an IPsec tunnel over the Internet, but the on-prem network range overlaps with the VPC/VNet CIDR range, and the requirement from the customer is that no NAT function will be performed on the customer side. In addition, traffic can be initiated from either side.

Note that this solution works for specific hosts and virtual machine instances on each side.

The scenario is described in the following diagram, where VPC/VNet-2 represents an on-prem environment.

overlap
VPC/VNet-1 CIDR =  10.17.0.0/20, instance-1 in VPC/VNet-1 has an IP address 10.17.4.179.
VPC/VNet-2 CIDR = 10.17.0.0/20, instance-2 in VPC/VNet-2 has an IP address 10.17.7.81.

The Solution

The solution is to build a Site2Cloud IPsec tunnel between VPC/VNet-1 and VPC/VNet-2 and apply both source NAT (SNAT) and destination NAT (DNAT) on VPC/VNet-1 gateway. The packet flow is demonstrated as below:

  1. instance-1 sends a packet to instance-2 with a virtual destination IP address, for example 172.16.0.43. From instance-1’s point of view, the destination instance is a virtual address - 172.16.0.43.

  2. When the packet arrives at the VPC/VNet-1 gateway, the gateway does DNAT on the packet to translate the virtual destination IP address to 10.17.7.81 which is the instance-2 physical IP address.

  3. The gateway at VPC/VNet-1 then translates the packet source IP address (10.17.4.179) to a virtual source IP address, say it is 192.168.0.43.

  4. The packet then arrives at VPC/VNet-2 with destination IP address 10.17.7.81 and source IP address 192.168.0.43. From instance-2’s point of view, instance-1’s address is a virtual IP address - 192.168.0.43.

  5. When instance-2 sends a packet to instance-1, the destination is the virtual IP address 192.168.0.43.

  6. When the packet arrives at the VPC/VNet-1 gateway over the IPsec tunnel, the VPC/VNet-1 gateway translates its destination IP address from virtual address 192.168.0.43 to 10.17.4.179.

  7. The VPC/VNet-1 gateway then translates the source IP address of the packet from 10.17.7.81 to virtual address 172.16.0.43.

The Configuration Steps

Following the Site2Cloud Workflow to Launch Gateways

Log in to the Controller and select Site2Cloud from the left sidebar. Follow the Site2Cloud workflow to launch a gateway in the VPC.

(You can follow the gateway launch instructions. Leave optional parameters unchecked.)

Creating a Site2Cloud Tunnel

  1. Go to Controller Console > Site2Cloud.

  2. Click +Add New. Fill the form and click OK.

  3. In the Connection Type field, select Mapped.

s2c_connection

VPC-1 Gateway-1 Side

For the VPC gateway side, the Local Subnet field should be the subnet of VPC-1 (e.g. 10.24.0.0/20), and the Remote Subnet field should be the subnet of OnPrem Router (e.g. 10.24.0.0/20), as shown below.

Field Value

VPC ID/VNet Name

Choose VPC ID

Connection Type

Mapped

Connection Name

Arbitrary (e.g. S2C-VPC-OnPrem)

Remote Gateway Type

Generic

Tunnel Type

Route-based

Algorithms

Unmark this checkbox

Encryption over ExpressRoute/Direct Connect

Unmark this checkbox

Enable HA

Check this box if HA is required

Primary Cloud Gateway

Select the Aviatrix Gateway created above

Remote Gateway IP Address

Public IP of IOS Router WAN port (52.40.45.197 in this example)

Pre-shared Key

Optional (auto-generated if not entered)

Remote Subnet (Real)

10.24.0.0/20 (On-Prem Network CIDR)

Remote Subnet (Virtual)

Any/20 (On-Prem Network Virtual CIDR)

Local Subnet (Real)

10.24.0.0/20 (VPC-Cloud Network CIDR)

Local Subnet (Virtual)

Any/20 (VPC-Cloud Network Virtual CIDR)

vpc_to_onprem_rbipsec

Local & Remote Subnet (virtual) IP range could be anything but subnet should be same as Physical/Real subnet.

VPC/VNet-2 gateway-2 side

On the VPC/VNet gateway-2 side, the IPsec is a standard configuration.

For the VPC/VNet-2 gateway side, the Local Subnet field should be 10.17.7.81/32, and the Remote Subnet field should be 192.168.0.43/32, as shown below.

vpc2_to_vpc1_ipsec

Wait for the tunnel to come up.

Normally you’ll need to download the configuration, but in this example, since both ends of the network are on the VPC/VNet, you can simply configure each Site2Cloud tunnel. Make sure the pre-shared Keys are the same for both ends. In the above example, we used "Aviatrix101#" as our pre-shared key.

Configuring DNAT on Gateway-1

This step is to configures the gateway to translate the destination IP address 172.16.0.43 to the real private IP address 10.17.7.81, before routing happens.

At the main navigation bar, click Gateway. Highlight the gateway, in this case, the VPC/VNet-1 gateway, and click Edit.

Scroll down to Destination NAT. Follow the instructions here to configure, as shown below.

dnat

Configuring SNAT on Gateway-1

This step is to translate the packet source IP address after routing happens. In this example, the address is translated from 10.17.7.81 to 172.16.0.43 for packets going from on-prem (VPC/VNet-2) to VPC/VNet-1, and 10.17.4.179 to 192.168.4.43 for packets going from VPC/VNet-1 to on-prem (VPC/VNet-2).

For the same VPC/VNet-1 gateway, configure SNAT as shown below. Notice we entered "Dst CIDR" as qualifier to reduce the scope of the rule as a good practice. The reason that the address is 10.17.7.81/32 is that the destination has already been translated after the DNAT rule before routing happens.

snat

Testing the Site2Cloud Connection

Make sure your instance’s Security Groups inbound rules are configured properly.

From instance-1, you should be able to ping host-1 by "ping 192.24.7.101". From host-1, you should be able to ping instance-1 by "ping 172.24.1.4"