Spreading a subnet via VPN

There is 1 network behind FW-A that is already in place, in the subnet 172.16.101.0/24

I would like to establish an IPSec tunnel between FW-A and FW-B,and have devices behind FW-B to also be located on the same subnet as FW-A in 172.16.101.0/24.

Here is a representation:

Now from what I know, the way you achieve this kind of topology is by natting both networks and have them communicate through their nat addresses.

I was wondering if there might be another way to advertise subnet A to FW-B, while maintaining the same subnet on the side of B?

The base idea here is for a device behind B to directly communicate with a device behind A using it's real address in 172.16.101.0/24 without any NAT?

Not sure if this is reasonable to expect, as i'm aware of the collision between both networks.

In such a situation, you have three options.

• 1: As you already pointed out, use a full NAT (source and destination NAT)
• 2: segmentation of the networks (transform the 172.16.101.0/24 subnet into two /25 subnets)
• 3: use bridging instead of an IPsec tunnel.

In Scenario 3, you would build a vpn on network layer 2, effectively bridging those two networks together. You would have to ensure by some other means that no IP collisions occur. This introduces additional overhead to the vpn, since you are tunneling the ethernet protocol, not the IP protocol.

installing a firewall on such vpn connections is possible (see here for example, or take a look at the linux man page of ebtables), but is more challenging than on an ipsec tunnel, and not all firewalls have such a capability. Because of those drawbacks, I would always go for the full NAT option...