Creating an IP alias for a device on another subnet behind a VPN

Question

I set up a site-to-site VPN with IPsec between two routers.

• Router 1 (DLink DSR-250V2) controls the 11.11.11.0/24 subnet.
• Router 2 controls the 192.168.1.0/24 subnet.

The tunnel itself works fine. Devices in one subnet can reach devices in the other subnet.

I need to create an IP alias on Router 1 for a device on Router 2's network. For example, say I have a device with an IP of 192.168.1.10, I want to configure some sort of rule on Router 1 so that when it gets traffic to 11.11.11.10, the traffic is intercepted and forwarded to 192.168.1.10 over the VPN.

In general, what would I need to configure to get this to work? Based on my reading, the suggestion is to use a NAT rule on Router 1 for translating the address. After making some attempts at adding SNAT and DNAT rules on DSR-250V2 I was unsuccessful. I can only configure these rules for the WAN interface, can't seem to touch the IPsec tunnel at all.

Any advice is appreciated.

Answer 1

For an address to "exist" in a subnet, something must answer ARP queries for it. If you want the router to handle the address, then the router must answer ARP.¹

So that means either a) the router on the 192.168.1.x side must support proxy-ARP, or b) it must literally have that address assigned as its secondary address on its LAN interface. Preferably the former, but as the goal is NAT, either will do.

Once you have ARP working for the address, the second step would be DNAT (i.e. "port forwarding" except directed from inside out). The DNAT rule should be on the LAN interface, not on WAN.

If your router doesn't let you do either of the above, then you can't do it with the router alone. You probably could set up a

---

¹ (Routers connect whole networks/subnets; they are not what connects hosts within a subnet, and they do not automatically see all subnet traffic – they only see what ARP or route tables lead there.)