Three way site2site VPN

Question

Hi all together, 
 first of all: I am pretty new to Sophos UTMs so I might lack some basics you would otherwise expect me to have. Currently I am planning a three-way site2site VPN connection. Later on this will be expanded to connect 16 different locations all connecting to the HQ. We decided against RED devices because all locations need to be as independent as possible. Furthermore all locations share the same LAN subnet (172.17.0.0). This leads directly to site2site VPN configurations between mostly SG115 firewalls. At the moment I get the error: cannot route -- route already in use for "X_location a to location b" Bot sides are behind a router and NATed, but adding the local IP as VLAN-ID solved that as it seems. 
 From other posts I guess my failure lies within the assigned IP-Adresses on the interfaces. LAN-Interface: 172.17.2.23/255.255.0.0 WAN-Interface: 172.17.2.22/255.255.0.0 So I will change the IP on the wan interface. The question is: In wich way? Will it work when all locations (3 for now) have the same subnet on the WAN-Interface? Example: Location A LAN-Interface: 172.17.2.23/255.255.0.0 WAN-Interface: 172.18.2.23/255.255.255.0 Location B LAN-Interface: 172.17.2.24/255.255.0.0 WAN-Interface: 172.18.2.24/255.255.255.0 Location C LAN-Interface: 172.17.2.25/255.255.0.0 WAN-Interface: 172.18.2.25/255.255.255.0 
 and so on... 
 Another idea is to split all connections evenly by using 255.255.255.248 on router and WAN-Interface of the firewall. Later on it is planned that all offices should be able to contact AD, DNS etc. from the HQ. I hope you could help me to clarify this problem because otherwise I already see myself driving between all offices for days :) Thanks in advance!

apijnappels · Accepted Answer

You are going to have a hard time routing when all sites use the same subnet. You can only do it by NATTING al traffic to all sites into different subnets. 
 
 I'm not sure I understand your IP-scheme; you are talking about having same subnet for every location both on LAN and WAN? Usually at least the WAN should have different IP-addresses. 
 I'll try to give you a go in how to solve 
 1) Best would be to change subnets on every site so every site had unique subnet. This will be by far the easiest solution which is also easy to understand when you need to change something later on. 
 2) on HQ (172.17.0.0/16) create a VPN tunnel to site X. Configure a different subnet for site X (ie 172.18.0.0/16). Also create a different subnet for HQ (otherwise Site X cannot route to it, ie 172.1.0.0/16) and use this as local in HQ VPN connection. 
 Also in HQ create a SNAT rule for traffic from internal (network) to 172.18.0.0/16 ("new" site x subnet) translate source to 172.1.0.0/16 ("new" HQ subnet). And create a DNAT rule in HQ traffic from 172.18.0.0/16 going to 172.1.0.0/16 change destination to 172.17.0.0/16 (real IP). 
 At site X configure the VPN tunnel using the "new" IP-range as local (172.18.0.0/16) and 172.1.0.0/16 as remote. 
 At site X create a SNAT rule traffic from Internal (Network) going to 172.1.0.0/16 change source to 172.18.0.0/16 and create a DNAT rule for the return traffic: Traffic from 172.1.0.0/16 going to 172.18.0.0/16 translate destination to 172.17.0.0/16 (Real IP). 
 You will have to "make up" different subnets for all your sites and at every site make the required DNAT and SNAT rules. For HQ you can have only one NAT subnet (in my example 172.1.0.0/16) since this will be unique among all other subnets. If you also need to have all sites communicate to each other (and not just to HQ) then you will need to write even more NAT rules from every site to every other site. 
 As you will see, it can be done but you will quickly become lost in all the NAT subnets, so best would really be to change subnets so every site has a unique subnet to start with.