[vpn] Site-to-site VPNs to same networks

Stephen J Bevan stephen at etunnels.com
Wed Jul 10 20:28:07 EDT 2002


=?iso-8859-1?Q?Siddhartha_Jain?= writes:
 > I need to establish site-to-site IPSec tunnels to
 > remote networks whose IP addressing is not determined
 > by me. These networks might use the same IP address
 > pools for their LANs.
 > 
 > How do I configure my VPN device in such a scenario?

Generally the answer is you don't unless you are prepared to renumber
the networks.

However, you can make it work if :-

* both VPN devices are support NAT at the right point in the stack.

* you can get the cooperation of the person setting up the VPN at the
  remote network to install some NAT rules on the VPN device.

* you don't need to support any protocols that break if they are run
  over NAT.

For example, assume you have two sites A and B which use the same
private range (192.168.1.0/24) :-

                 A                                    B
  192.168.1.0/24 : 1.1.1.1   --- internet --- 2.2.2.2 : 192.168.1.0/24

If you can agree on some address space that neither side are using
then you can NAT each private range to a new range.  Assuming that
10.0.0.0/16 is free then we'd have the following mappings :-

   A = 192.168.1.0/24 <-> 10.0.1.0/24
   B = 192.168.2.0/24 <-> 10.0.2.0/24

So if A wants to send traffic to B then it is addressed to 10.0.2.0/24.
To make sure that B can reply, A must do source NAT for outbound
packets so that although the packet is coming from 192.168.1.0/24, B
will see it as coming from from 10.0.1.0/24.  Similarly B does source
NAT of 192.168.1.0/24 to 10.0.2.0/24 for outbound packets.

Depending on where exactly NAT is done relative to IPsec in your VPN
device then A would either have security policy entries of the form :-

  192.168.1.0/24 -> 10.0.2.0/24 via 1.1.1.1

or :-

  10.0.1.0/24 -> 10.0.2.0/24 via 1.1.1.1

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list