S2S VPN Subnet Mask Collisions

Question

I am trying to educate myself on the creation of a site-to-site vpn for a planned vpn tunnel we will be creating at work. I am having trouble understanding what I should put for local-remote sub-nets for the tunnel. at one site, there is only one sub-net we are worried about, for simplicity sake we'll say 192.168.4.0/24

at our main site, we are splitting up different groups into sub-nets to prevent access to certain resources on an IP based scheme. (sub-nets will be acl'd from seeing specific resources, as an added layer of security). For example these sub-nets would be:

192.168.1.0/24
192.168.11.0/24
192.168.12.0/24
192.168.13.0/24
192.168.14.0/24
192.168.15.0/24
192.168.16.0/24

the sub-nets at .4 and .1 are unchangeable for the foreseeable future.

The point here is all sub-nets live within the same /16 My initial question is, would it be possible to do a remote/local setup like 192.168.4.0/24,192.168.0.0/16 and would this cause problems.

If it won't work, what would be a recommended configuration of the subnets?

EDIT:

I'm wondering if setting up the vpn with one end with the /16 and the other with the 4.0/24, will the overlap cause a problem with .4

Yes, they all exist within the same /16 but you're using /24 so what's the problem? — joeqwerty, Jul 17 '13 at 15:53
It probably will cause a problem unless you set up a more specific route to 192.168.4.0/24 that goes through the VPN. — joeqwerty, Jul 17 '13 at 20:44

score 0 · Accepted Answer · answered Jul 22 '13 at 13:03

We ended up choosing just the particular subnets that at the moment that need access, and added a tunnel for them, i.e. .1.0/24 and .11.0/24, and excluding the others. Given current knowledge and experience (or lack thereof at the moment), this seemed to be best option.

S2S VPN Subnet Mask Collisions

1 Answers1