Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Share subnet accross VPN

Status
Not open for further replies.

jschreiner

Vendor
Feb 27, 2012
12
US
I don't know that this is even possible, but thought I'd see if anyone had ever gotten it to work.

I have two vpn devices I'm setting up a ipsec point to point tunnel on. The one device has a network 192.168.10.x/24 and I want to have a tunnel from that device to 3 servers at a remote location each with IP addresses on that same subnet. I can't NAT them because these servers IPs are custom coded into some software which would be difficult to change (software at main location). The servers also are not addressed in a way that subnetting 192.168.10.0/24 would be helpful.

Any ideas or suggestions. Is this possible?

Main Location
192.168.10.x/24 -(VPN Device)-------Tunnel------(VPN Device)-192.168.10.100, 192.168.10.200, 192.168.10.5




 
What devices are you using for VPN endpoints? You could look at doing something l2tp/l2tpv3 or a Cisco router or ASA running ez-VPN in network extension mode.

 
The problem that I see with what your trying to do is that you have the same subnet on both sides of the VPN interface. Consequently, when a packet is to be sent out, there is no way to tell if it should be sent to the VPN or to the local net. At worst, this could cause all traffic on the network to fail due to routing conflicts and at best all traffic will go to the route with the lower metric, which would likely be you your local network.

One potential workaround would be to to create specific static routes, one for each remote IP address, that specify that traffic for this IP, e.g. 192.168.10.100 goes through the VPN adapter rather than the ETH adapter. You would also need to blacklist these IP addresses on your local network so that you don't have a conflict.
 
Cisco ASA at one end and a Sonicwall NSA appliance at the other.

I don't see that there would be a real routing issue if it follows standard routing policy by going to the more specific route and since routing a /32 or single host would be more specific than the /24 at the main location it should route across the vpn tunnel. The question is would the tunnel even build or would the firewalls choke and not build the tunnels because they are on the same network?

 
Layer 2 VPN != Layer 3 VPN. In a layer 3 VPN such as a traditional IPSec tunnel you have issues with overlapping networks since you are relying on routing to find your destination across the tunnel. In a Layer 2 VPN you don't have the same problem since you are considered to be a simple extension to another network. It is very easy to do as long as your hardware provides support for it. Once again, look at l2tpv3.

 
One more thing, your assumption about the /32 and the more specific prefix only holds true for traffic that is remote to the subnet in question. If you have 192.168.10/24 but then have a variety of 192.168.10.x/32, such as 192.168.10.1/32 traffic will never be sent to the gateway with the exception of broadcast traffic such as ARP. Host 192.168.10.100 wants to send traffic to host 192.168.10.1. Host .100 will perform a binary calculation on the destination ip address to see if it is local to its segment or if it needs to send the traffic to its gateway. Because .100 has a /24 it sees .1 as being in the same broadcast domain. .100 now sends an ARP request to determine what .1 has for a MAC; this is where you can get into trouble. If your gateway has proxy arp enabled it may respond on behalf of the .1/32 plus the local .1/24 will respond with its MAC...you've got yourself a race condition and unpredictable traffic patterns.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top