[vpn] Site-to-site VPNs to same networks
Stephen J Bevan
stephen at etunnels.com
Wed Jul 10 20:28:07 EDT 2002
=?iso-8859-1?Q?Siddhartha_Jain?= writes:
> I need to establish site-to-site IPSec tunnels to
> remote networks whose IP addressing is not determined
> by me. These networks might use the same IP address
> pools for their LANs.
>
> How do I configure my VPN device in such a scenario?
Generally the answer is you don't unless you are prepared to renumber
the networks.
However, you can make it work if :-
* both VPN devices are support NAT at the right point in the stack.
* you can get the cooperation of the person setting up the VPN at the
remote network to install some NAT rules on the VPN device.
* you don't need to support any protocols that break if they are run
over NAT.
For example, assume you have two sites A and B which use the same
private range (192.168.1.0/24) :-
A B
192.168.1.0/24 : 1.1.1.1 --- internet --- 2.2.2.2 : 192.168.1.0/24
If you can agree on some address space that neither side are using
then you can NAT each private range to a new range. Assuming that
10.0.0.0/16 is free then we'd have the following mappings :-
A = 192.168.1.0/24 <-> 10.0.1.0/24
B = 192.168.2.0/24 <-> 10.0.2.0/24
So if A wants to send traffic to B then it is addressed to 10.0.2.0/24.
To make sure that B can reply, A must do source NAT for outbound
packets so that although the packet is coming from 192.168.1.0/24, B
will see it as coming from from 10.0.1.0/24. Similarly B does source
NAT of 192.168.1.0/24 to 10.0.2.0/24 for outbound packets.
Depending on where exactly NAT is done relative to IPsec in your VPN
device then A would either have security policy entries of the form :-
192.168.1.0/24 -> 10.0.2.0/24 via 1.1.1.1
or :-
10.0.1.0/24 -> 10.0.2.0/24 via 1.1.1.1
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list