GFI Support Home Start a conversation Sign in
Start a conversation
  1. KerioControl
  2. KerioControl - Kerio Control VPN
  3. Articles

Resolving IPSEC Tunnel Conflicts Due to Overlapping Subnets

Overview

When managing multiple IPSEC tunnels, overlapping subnets can lead to connectivity problems. A common symptom is one tunnel becoming unreachable when another is active. These conflicts typically occur due to identical subnet configurations or misaligned Local IDs. This article provides step-by-step guidance to resolve such issues and maintain stable tunnel operations.

Solution

1. Change the VPN Tunnel Subnet

Avoid subnet overlap by configuring each tunnel with a unique private IP range:

  • Use standard private IP blocks as defined by RFC 1918:

    • Class A: 10.0.0.0 – 10.255.255.255

    • Class B: 172.16.0.0 – 172.31.255.255

    • Class C: 192.168.0.0 – 192.168.255.255

  • Example: If one tunnel uses 10.10.10.0/24, configure the other with 10.20.20.0/24.

2. Assign Unique Local IDs

  • Each tunnel should have a distinct Local ID to avoid confusion during IPSEC negotiations.

  • Make sure the Local ID is updated and recognized correctly on both tunnel endpoints.

3. Review Routing Metrics

  • Configure routing so that routes from one tunnel do not override another.

  • Assign appropriate metric values to routes to ensure traffic uses the correct tunnel path.

4. Avoid Public IP Ranges for Internal Use

  • Do not use public IP ranges (e.g., 193.100.100.0/24) internally as it can lead to unexpected routing issues.

  • Stick to private IP ranges listed above to comply with best practices and ensure reliable network behavior.

Summary

To avoid IPSEC tunnel disruptions due to overlapping subnets:

  • Use unique, private subnets.

  • Assign distinct Local IDs.

  • Carefully manage routing priorities.

  • Eliminate public IPs from internal network configurations.

Following these steps ensures seamless operation of multiple concurrent IPSEC tunnels.

FAQ

Q1: What happens if two IPSEC tunnels share the same subnet?
A1: One tunnel may override the other, causing traffic to misroute or tunnel negotiations to fail.

Q2: Why is using public IP ranges internally a bad idea?
A2: It can lead to routing conflicts, especially when trying to access the actual public owner of that range.

Q3: What is a Local ID in an IPSEC tunnel?
A3: It's a unique identifier used during the tunnel negotiation phase to authenticate and distinguish between endpoints.


Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Ciprian Nastase

  2. Posted
  3. Updated

Comments