VPN and overlapping address question

LoLth

As far as I know, this is not possible but maybe someone out there can correct me on this...

the situation:
Central point (CP) has a zywall 100 and a zyxel prestige router and connects to multiple clients (A, B and C)

CP address range internal is 10.0.0.0 subnet: 255.255.0.0

A: IP internal: 192.168.0.0 subnet : 255.255.255.0 zywall 662
B: IP internal: 192.168.1.0 sn: 255.255.255.0 zywall 662
C: IP internal: 192.168.0.0 sn: 255.255.255.0 zywall 662

now, can CP maintain active VPNs to all three sites simultaneously? Currently only A and B can be active or B and C at any one time. A and C have to be turned off and on again as required.

as an aside: what if CP had an internal IP of 192.168.0.0 ?

All sites have static IP addresses assigned by eircom.

Any ideas?

flav0rflav

Depends on the exact setup, but, yes it will be a problem.

Those are private address ranges, which you guys are in control of. So first and easiest option to make it work, is change the addresses at one of the sites. It should be just part of you overall network architecture. It'll most likely be using DHCP, so it's straight forward.

Second option, which may or may not be available, is to use some sort of Network Address Translation, hence hiding the remote, awkward address.

LoLth

The example is a scaled down version of the real problem. I currently have 43 vpn connections. some of them to large companies with vpns of their own. Changing ranges on the client site is really not an option. (new sites are being given incremental IP ranges 192.168.0.x , 192.168.1.x, 192.168.2.x etc)

I could change the vpn to connect to a single pc (server) in each place, but hten the server would need a different IP from the rest of the servers.. 192.168.0.1, 192.168.0.2 etc... however most sites have the server set at 0.1 and I'm not sure how they would welcome change (also I'm curious to see if it can be done another way).

Does the NAT entry take place before or after the VPN table? (zywall tables dont like entries with "conflicting" ranges) ie: can I call .1 and .2 different entries in the vpn table?

Ripwave

So you're saying that you're opening tunnels directly between your companies LAN, and some other companies LAN. And you want to open another tunnel to a 3rd company. Does the first company know that you want the 3rd company to have full and complete access to their LAN?

No, you can't access two different 192.168.0.0/24 networks at the same time. But more to the point, if you don't control the networks in question (to the extent that you can renumber them to all use unique subnets), you really shouldn't be opening tunnels between them in the way you have described.

LoLth

Ripwave wrote:

So you're saying that you're opening tunnels directly between your companies LAN, and some other companies LAN. And you want to open another tunnel to a 3rd company. Does the first company know that you want the 3rd company to have full and complete access to their LAN?

No, you can't access two different 192.168.0.0/24 networks at the same time. But more to the point, if you don't control the networks in question (to the extent that you can renumber them to all use unique subnets), you really shouldn't be opening tunnels between them in the way you have described.

Its called tech support. I use the remote desktop feature built in to server 2003 to solve server issues over a VPN rather than have the customer wait for an engineer to call out or spend an hour on the phone doing something I can finish in 10 minutes via remote connection. I dont need full control of a network, and have you ever tried re-numbering the LAN of a 300 pc company with VPNs to mothership in Germany and their satellites in Cork, Italy and America? Not really that feasible.

To answer your questions specifically:

No, customers do not know other customers. Many of them are in direct competition

I dont want complete access to their LAN (I wouldnt do anything but its better not to have access in the first place) and cant as not all the client PCs are capable of supporting TS.

I didnt think it was possible but after reading

http://www.nanog.org/mtg-0102/ppt/retana/

I thought I might be able to find a way to get it working... some protocol I havent heard of or some piece of software that can manage it.

ah well.

Capt'n Midnight

Cheap n' nasty
use smaller sub nets rather than a full class C block of 254 addresses so less chance of an over lap - won't really help much 'cos I reckon you'll hit a lot of 192.168.0.1 and 192.168.0.254's

there might be some way of doing it with NAT so that as far as your internal network is concened C is 192.168.2.x and only gets natted to 0.x between the CP and the Zywall thingy. Not sure how to do this since you are looking to change the subnet , not map all address to a single one.