Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Example of VFP configuration to handle overlapping IP addresses

In this sample configuration, a client ( within the Corporation-A private network wants to access a server ( within the Corporation-B private network. For security, a site-to-site VPN connection is configured from Corporation-A to Corporation-B.

However, it happens that both Corporation-A and Corporation-B are using the same IP range of addresses within their private networks. Thus, Corporation-A's client is assigned to IP address range, but Corporation-B reserves IP address range for its own internal purposes. So if the Corporation-A client sent a packet to the server in Corporation-B, the connection might be misinterpreted as coming from one of Corporation-B's own internal addresses.

To avoid conflicts with Corporation-B's internal-use IP addresses, the Corporation-A Router translates its client's address to a different address ( when it sends packets to Corporation-B. Corporate A router uses the virtual feature point (VFP) interface to apply the SNAT policy specifically on its client's traffic heading through the VPN to the server within the Corporation-B network, and it verifies that the responses from the server are translated back to the actual source address of the client. The Corporation-B router uses standard policy-based IPsec; it does not need a VFP interface.

Figure 1. Example of VFP configuration to handle overlapping IP addresses