VPN: How to handle foreign & home network using same address space?

pts.
Tags:
Networking
Our internal network was set up several years ago with the 192.168.0/24 address space. However, it seems that virtually every SOHO router made has this address space as its default, which makes it impossible for the users to connect to the corporate network (we are using Checkpoint NG with AI and the SecuRemote 56 client running IPSec) unless this default is changed -- which some routers do not allow, and even if they do the user does not know how to do it. We are considering changing our network address space to some less-common range, e.g., 192.168.131/24 (to choose a random number). However, this is a major undertaking. What solutions are available, if any, where one can have the foreign and corporate networks use the same address space but be able to communicate with both? To use a particularly thorny example, say that a foreign printer and the corporate e-mail server had the same IP address but different names? Is there any way for the VPN client to determine to which network to send which traffic? If there is no easy solution, what alternatives are there (changing VPN technology -- maybe to SSL?) to rebuilding our network?

Answer Wiki

Thanks. We'll let you know when a new response is added.

I have the same issue ( using WatchGuard FireBox ) . Any of my users who have a wireless network @ home cannot connect to the VPN. Another thing I have run across is once I change the users IP adress so they can connect, the next day they can not connect to the internet from home. What I have done is talked to their ISP and had some changes made for the users router IP. It is a pain, but the only thing I found that worked so far with out redoing the network. SO far I have been lucky and all ISP’s have worked with me on changing the IP address.

Discuss This Question: 11  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Howard2nd
    I sometimes confuse easily. 192.168.xxx.yyy is non-routable and therefore the workstation has to go through a translation proxy to get an 'outside address' for the internet et Al. Right? The VPN client tunnels through that outside address on a port(IP) to the VPN server/appliance where the connection gets an 'internal address' for the local network. Right? You seem to be saying that if the 'internal' address space is also 192.168.xxx.yyy that the VPN fails. I have several people using VPN and have not seen this happen since both ends are translated to outside addresses. (i.e Sprint DSL in central florida uses a 'smart' modem and gives a 192 address internally, BUT it has a real outside address and it works fine for VPN.) Since the VPN host never sees the "local" address for the client only the internet address how would it know if the address space are the same or overlapping?
    30 pointsBadges:
    report
  • Boardinhank
    We have some issues with that as well. Although changing your network would be a great idea to even something less used than the 192. range to like a 10.0 range. We utilize NAT for people that come in VPN and make the services they need (I.E mail and intranet access) resolve to a special range like so. if your internal email server was a 192.168.0.10, we have our vpn clients set to use a special DNS server that tells them the address is 192.168.100.10 and then let the firewall NAT the traffic from .100.10 to the .0.10 and they are none the wiser. This is a per service instance but depending on what access they need might be a quick fix vs the topology change of your network which is still the best thing to look at doing down the road.
    60 pointsBadges:
    report
  • Larrythethird
    Howard2nd is right. 192.168.x.y numbers go only as far as the internal routers. To go any farther, they HAVE to be NAT'd. I would have to say you have some ISP issues here. It would be on par as some web email servers cannot talk to others (try sending an email from yahoo.com to earthlink.net). Usually a bad route or a misconfigured service at the ISP.
    0 pointsBadges:
    report
  • Howard2nd
    In an upstream question about 'VPN on the same subnet'. got a CLUE.I have had long couple of days from other problems. (slow network) The better your VPN solution the worse the problem will be. A - VPN will not work on the same subnet. Two machines in the same address space will never use the tunnel, why would they? They can establish an encrypted connection but by a different process. In essence direct is one hop through switch and VPN would appear as a three hop connection, network traffic defaults to the least hop path. B - The better your solution the closer it gets to object encapsulation.(i.e. resolution at the MAC address level) Thusly a good systme sees the incoming internet address and works. BUT a better system sees the underlying host address and drops the connection. Hoist by thine own petard. C - a quick check here (UF) shows that sometimes better isn't. Good luck.
    30 pointsBadges:
    report
  • RonJon
    Thank you all for your help to date. It appears that there are two different understandings of the issue, so I will try to clarify: 1. My query is for an on-demand VPN, not site-to-site VPN, so the ISP is not involved. 2. Ideally, the user to have full access to the foreign network AT THE SAME TIME as the corporate network with the same address range. For example, say the user has a home network with a network-attached printer at the same address as their mail server has on the corporate network. How can they be online w/ the mail server and print a msg. to their home printer? 2. If I were to change my corporate private network (192.168.xxx.yyy) to another private network, does anyone have any suggestions on what other network to use? Someone mentioned 10.0.xxx.yyy, but that seems to be the second-favorite default range of SOHO routers (older D-Links, if I recall correctly). And is it true that no matter what private network I change it to, there is the possibility that a foreign network could be using the same range? If I were to use, e.g., 192.168.131.yyy, that probability is a lot lower than 192.168.0.YYY, but it is still there, right? The irony of any suggestion is that by mentioning it, that immediately makes it a less-desirable network, but I'll take any suggestions. Finally, how can I find out what the legal, private network addresses are? Thanks again for all the advice.
    0 pointsBadges:
    report
  • Jaysea
    RFC1918 Address Allocation for Private Internets. http://www.faqs.org/rfcs/rfc1918.html
    0 pointsBadges:
    report
  • Alan32
    I have the same situation as Howard2nd somewhat. I agree that 192.168.x.x is a private addressa ndtherefore is non routable over the internet. I connect to a SOHO broadband wireless router with the default of 192.168.1.1 this is only an internal address on my side of the box..not to the world. The only address I see when doing a ipconfig command is the 192.168.xxx.xxx assigned by my broadband router. The cable modem gets another address for internet access. On the VPN side, my VPN client is Cisco and when connecting to the corporate network via VPN tunnel, it shows up as a separate adapter although it's not physically a separate adapter. It appears in ipconfig output as an adapter with the corporate assigned address for connecting to the corporate network.
    0 pointsBadges:
    report
  • Wdorciak
    We use 172.20.x.x for our internal network, so far we came across one hotel chain (some Marriots) that use that range for their high speed internet access. I am not sure if you will be able to access both the local and remote network at the same time. Might be one or the other. The issue seems to be that a user connects to network outside the company (home, on the road), gets IP address from that network on LAN (WiFi) interface. Later on, VPN connection is established, new interface is created that (under Windows XP) might have the same route metric as LAN interface (try route print from command prompt, look to the right). Windows XP uses route metric to determine the interface over which to send the packets. The metric value is assigned based on the interface speed. For example 100BaseT would have 20, 54 MBs WiFi would have value of 25. My thought was to use ROUTE CHANGE after VPN connection is established to make the metric on that interface lower than LAN interface, therefore network traffic should use VPN connection. I also tried VPN setting to use default gateway on remote network (all trafic goes over the VPN connection), but it does not seem to work if networks use the same address range. I do not think that route metric works the same under Windows 2000.
    0 pointsBadges:
    report
  • MennoT
    Partly, the problem is inherent to the use of private IP addresses and thus unsolvable. Private IP addresses according RFC1918 are by definition intended for anyone to use in a closed, private environment and when you interconnect such environments, you're likely to get into conflict situations. Nevertheless, it is possible to circumvent the problems, more or less, especially when the complete environment is in one hand. 1) On corporate level, an IP allocation plan should be devised that allocates the available private IP address space in a clever way. The amount of private addresses is huge, one class A network (10.0), a set of class B network (172.16 - 172.31) and a set of class C nets (192.168). This should be enough for any practical situation. Any site should be assigned a range, taking into account possible future growth. 2) Standardization on hardware can help too. Simple and cheap routers do have limitations on the IP addresses that can be used, such as being restricted to 192.168.1.x; more professional devices don't have such limitations. It might be sensible to consider the purchase of equipment without limitations in this area. Spending a few more bucks on good equipment can easily balance the cost of additional efforts connected with the use of cheap equipment with limited capabilities. 3) Use DHCP for all devices, even servers (including printers/print servers); assign fixed addresses to the latter via the DHCP config file. This allows you to make quick changes from a central point. Also, using DHCP assigned IP addresses prevents conflicts with fixed addresses configured for a home environment. 4) NAT can help resolve IP address conflicts, but some protocols/applications are incompatible with it; avoid it when possible.
    0 pointsBadges:
    report
  • Stevesz
    First, let me say that I have not really done any work with IPsec. Now we have that out of the way, I have read about it, and have learned that IPsec and NAT do not play well with each other. If one side is NAT'ed, then you can usually get away with it, but if both sides are NAT'ed, then you are in for headaches. There is, apparently, a work around this problem known as NAT-T or transparent NAT. I have yet to follow up on this, since I do think I am going to be getting involved in such a scenario before too long, but you may wish to persue this path to see what it yeilds. Steve//
    2,015 pointsBadges:
    report
  • Patzo
    I was just against the same problem and found a workaround using the same idea wdorciak had. The vpn is established fine. The problem is in Windows' routing of 192.168.0.0 via the VPN and not the LAN (I am using XP). My users use the VPN just to connect to a file server. After they establish the VPN they run a batch file to connect their network drive. I just needed to add an entry to the client's routing table to route 192.168.0.0 traffic through the VPN interface, not through the LAN. You will need to know the IP address that the VPN interface will be assigned when connected, or the DHCP range. The command is: route add 192.168.0.0 mask 255.255.255.0 10.250.250.101 metric 1 192.168.0.0 mask 255.255.255.0 is the office network (same address as the user's home) 10.250.250.101 is the VPN interface, metric 1 assigns the lowest metric to this route so that 192.168.0.0 traffic is routed trough the VPN interface first. The obvious side effect is that local network resources are not available for the duration of the connection, but that is not an issue for our users yet. To automate this in a batch file I just added a line for each of the first 10 possible VPN addresses. Only the one that matches the assigned VPN address will be able to add to the routing table. Now I don't have to worry about changing my subnet or odds of the next guy choosing the same subnet.
    65 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following