[vpn] client-gateway (nat-nat)

Stephen Hope Stephen.Hope at energis.com
Mon Dec 17 09:36:52 EST 2001


i think you are asking how to fix a problem where you have the same address
range in 2 different private networks linked by the Internet.

If this is just a routed connection, then so long as both networks do
address translation before their traffic hits the common Internet IP routing
will work.

However, if you link the separate network with a VPN tunnel, then the tunnel
effectively joins the 2 private networks. If there is routing conflicts or
address overlaps then routing within the networks cannot send packets in the
"right" direction.

The only fix for this is to:
1.	 organise addressing so that the overlaps dont occur.
2.	make sure that the conflicting addresses are in parts of the
networks which dont send traffic to the "other" private network, so the
conflicts dont interfere.
3.	put 2 sets of address translation between the overlapping networks.

So, if you have the same addresses in the 2 networks, then you need to do
address translation twice "outside" the VPN tunnel.

Or, you put all your servers and other public access systems which are
accessed from the other private network on an Internet assigned address -
i.e. use a guaranteed unique address.



Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis UK, WWW: http://www.energis.com
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776

> -----Original Message-----
> From: Salah Eddine Bohoudi [mailto:s.e.bohoudi at its.tudelft.nl]
> Sent: Saturday, December 15, 2001 12:32 AM
> To: vpn at securityfocus.com
> Subject: [vpn] client-gateway (nat-nat)
> hallo everybody,
> I have a question about the following vpn scenario:
> Client
> -------------Nat----------------------------------------GW----
> Network
> The client must setup an vpn connection through the Nat 
> device to the VPN
> termination point (GW).
> The client can have any possible adress and the nat device is optional
> (allowing access the everybody with internet access).
> The problem rises if the client has a non-routable adress say 
> in the range
> of range. Actually we can get this working through UDP
> encapsulation and we can indeed build a tunnel between the 
> client and the GW
> through the NAT device. But when de packet is decrypted en 
> deencapsulated
> the GW faces the problem of the non-routable adress, as the 
> internet network
> can also have a private adress in the same range 
> ( I hope that
> the point is clear and that some body has a clean fix for this.
> Thanks in advance,
> Salah Eddine Bohoudi
> VPN is sponsored by SecurityFocus.com

This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United 
Kingdom, No: 2630471.

This e-mail is confidential to the addressee and may be privileged. The views 
expressed are personal and do not necessarily reflect those of Energis. If you are not 
the intended recipient please notify the sender immediately by calling our switchboard on 
+44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward 
all or any of it in any form.


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list