×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Share subnet accross VPN

Share subnet accross VPN

Share subnet accross VPN

(OP)
I don't know that this is even possible, but thought I'd see if anyone had ever gotten it to work.

I have two vpn devices I'm setting up a ipsec point to point tunnel on. The one device has a network 192.168.10.x/24 and I want to have a tunnel from that device to 3 servers at a remote location each with IP addresses on that same subnet. I can't NAT them because these servers IPs are custom coded into some software which would be difficult to change (software at main location). The servers also are not addressed in a way that subnetting 192.168.10.0/24 would be helpful.

Any ideas or suggestions. Is this possible?

Main Location
192.168.10.x/24 -(VPN Device)-------Tunnel------(VPN Device)-192.168.10.100, 192.168.10.200, 192.168.10.5




RE: Share subnet accross VPN

What devices are you using for VPN endpoints? You could look at doing something l2tp/l2tpv3 or a Cisco router or ASA running ez-VPN in network extension mode.

RE: Share subnet accross VPN

The problem that I see with what your trying to do is that you have the same subnet on both sides of the VPN interface. Consequently, when a packet is to be sent out, there is no way to tell if it should be sent to the VPN or to the local net. At worst, this could cause all traffic on the network to fail due to routing conflicts and at best all traffic will go to the route with the lower metric, which would likely be you your local network.

One potential workaround would be to to create specific static routes, one for each remote IP address, that specify that traffic for this IP, e.g. 192.168.10.100 goes through the VPN adapter rather than the ETH adapter. You would also need to blacklist these IP addresses on your local network so that you don't have a conflict.

RE: Share subnet accross VPN

(OP)
Cisco ASA at one end and a Sonicwall NSA appliance at the other.

I don't see that there would be a real routing issue if it follows standard routing policy by going to the more specific route and since routing a /32 or single host would be more specific than the /24 at the main location it should route across the vpn tunnel. The question is would the tunnel even build or would the firewalls choke and not build the tunnels because they are on the same network?

RE: Share subnet accross VPN

Layer 2 VPN != Layer 3 VPN. In a layer 3 VPN such as a traditional IPSec tunnel you have issues with overlapping networks since you are relying on routing to find your destination across the tunnel. In a Layer 2 VPN you don't have the same problem since you are considered to be a simple extension to another network. It is very easy to do as long as your hardware provides support for it. Once again, look at l2tpv3.

RE: Share subnet accross VPN

One more thing, your assumption about the /32 and the more specific prefix only holds true for traffic that is remote to the subnet in question. If you have 192.168.10/24 but then have a variety of 192.168.10.x/32, such as 192.168.10.1/32 traffic will never be sent to the gateway with the exception of broadcast traffic such as ARP. Host 192.168.10.100 wants to send traffic to host 192.168.10.1. Host .100 will perform a binary calculation on the destination ip address to see if it is local to its segment or if it needs to send the traffic to its gateway. Because .100 has a /24 it sees .1 as being in the same broadcast domain. .100 now sends an ARP request to determine what .1 has for a MAC; this is where you can get into trouble. If your gateway has proxy arp enabled it may respond on behalf of the .1/32 plus the local .1/24 will respond with its MAC...you've got yourself a race condition and unpredictable traffic patterns.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close