[vpn] Site-to-site VPNs to same networks

Stephen Hope Stephen.Hope at energis.com
Mon Jul 15 07:31:16 EDT 2002 

Tina,

I have built a couple of "extranet" style systems like this over the couple
of years, for remote monitoring and for travel, so I stumbled across the
same issue.

The solution we came up with is to design out the problem.

In the systems I was involved in, all the customers had to talk to common
central servers. 

It isnt well known, but the Internet address allocation rules do not require
that you use allocated address space for an Internet connected network - all
you need is a justification for needing unique addresses - and this kind of
requirement is a classic use of such.

So, we got some Internet allocated address space and used that for the
common network. That way, anyone who conflicts trying to use address space
we "own", so they need to change.

Stephen 

-----Original Message-----
From:	Tina Bird [mailto:tbird at precision-guesswork.com]
Sent:	Wednesday, July 10, 2002 9:09 PM
To:	Watson, Travis
Cc:	'Siddhartha Jain'; vpn at securityfocus.com
Subject:	RE: [vpn] Site-to-site VPNs to same networks

The way I read Siddhartha's message, he is concerned that the >internal<
networks are addressed out of the same range.  If that's the case, the use
of the external address isn't going to fix things -- because there's no
way to do the routing.  Remember that the local system has to know to send
traffic destined for the remote private network to the VPN gateway.  If
the both the local and remote LANs are addressed from, say,
192.168.16.0/24, there's no way to route.

The answer there being, co-operation between network admins on both sides.
Oh joy.  I've been looking for a better answer for years, but no luck.

tbird

"The road of excess leads to the palace of wisdom."
                                  William Blake, "Proverbs of Hell"

http://www.shmoo.com/~tbird
Log Analysis http://www.counterpane.com/log-analysis.html
VPN http://vpn.shmoo.com

On Wed, 10 Jul 2002, Watson, Travis wrote:

> Siddhartha,
>
> I'm not quite sure what you are asking, but it sounds like you just have
to ask the distant end what IP address they are
> using as an outside interface.  Presumably, that is not going to be
difficult, but I don't know if you have a contact at
> the distant end.
>
> Regarding your second concern, the endpoint IP address (outside interface)
can't be in the same subnet as the LAN it is
> protecting.  If you have limited IP space, you can use the public IPs for
external interfaces and give 10.x.x.x and/or
> 192.168.x.x to the internal nets.  Then have the internal nets NAT to a
smaller, public IP range when going across the
> tunnel so you can route them on either side.
>
> Hope that helps.
>
> --Travis
>
> -----Original Message-----
> From: Siddhartha Jain [mailto:losttoy2000 at yahoo.co.uk]
> Sent: Wednesday, July 10, 2002 6:22 AM
> To: vpn at securityfocus.com
> Subject: [vpn] Site-to-site VPNs to same networks
>
>
> Hi,
>
> I need to establish site-to-site IPSec tunnels to
> remote networks whose IP addressing is not determined
> by me. These networks might use the same IP address
> pools for their LANs.
>
> How do I configure my VPN device in such a scenario?
>
> Regards,
>
> Siddhartha
>
> __________________________________________________
> Do You Yahoo!?
> Everything you'll ever need on one web page
> from News and Sport to Email and Music Charts
> http://uk.my.yahoo.com
>
> VPN is sponsored by SecurityFocus.com
>
> VPN is sponsored by SecurityFocus.com
>
>


VPN is sponsored by SecurityFocus.com


********************************************************************************************************
This e-mail is from Energis plc, 50 Victoria Embankment, London, EC4Y 0DE, United 
Kingdom, No: 2630471.

This e-mail is confidential to the addressee and may be privileged. The views 
expressed are personal and do not necessarily reflect those of Energis. If you are not 
the intended recipient please notify the sender immediately by calling our switchboard on 
+44 (0) 20 7206 5555 and do not disclose to another person or use, copy or forward 
all or any of it in any form.

********************************************************************************************************


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list