IPSec as solution to subnet problem
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||||||||
|
Posted by DustWolf on May 21, 2008, 9:07 am
Please log in for more thread options I am a network admin for a small company and am looking at a problem: I need to find a solution for our employees connecting from different locations around the world, to our company LAN, one way or another. We have been using PPTP (as built-in in windows) thus far, but our problem is that people sometimes make connections from subnets that match our subnet (the "192.168.0.x problem") and we cannot really afford to change either. I have read that setting up a VPN-like solution trough IPSec would overcome the problem. Is this true? I understand there are some issues like certificate deployment, but I do not believe this could be a problem considering the point that all company computers start their life in my office. I am not too eager to go for any extra commercial solutions and am hoping to be able to use what we already have (windows server ISA / windows XP workstations). Can IPSec tunnels also be used to link LANs (two LANs filled with workstations, same subnet, two machines used as gateways for N-way communication)? Thanks for any help in advance. | |||||||||||||||||||
|
Posted by Mike Drechsler - SPAM PROTECTE on May 22, 2008, 2:49 am
Please log in for more thread options Same problem I'm afraid. You need to renumber a site. Always avoid using 192.168.0.x and 192.168.1.x for a company network. -- WARNING! Email address has been altered for spam resistance. Please remove the -deletethispart-. section before replying directly. Mike Drechsler (mike-newsgroup2008@-deletethispart-.upcraft.com) | |||||||||||||||||||
|
Posted by Stephen J. Bevan on May 25, 2008, 8:17 am
Please log in for more thread options > Can IPSec tunnels also be used to link LANs (two LANs filled with
> workstations, same subnet, two machines used as gateways for N-way > communication)? As Mike noted you have to re-number something. Either re-number one or more of the subnets or if you don't want to change the physical subnet, the change it virtually by using 1:1 NAT. Changing the physical subnet may be painful but if at all possible that's what I'd do. NAT is something of a last resort when you absolutely cannot change the physical subnet. The following explains how NAT would work in case "use 1:1 NAT" still left you wondering how it is done. In the simplest case where you have two identical subnets at two sites that want to talk to each other :- 192.168.1.1/24 A 100.100.100.1 | internet | 200.200.200.1 B 192.168.1.1/24 Then pick some other subnet, I'll use 10.0.0.0/8, and assign every existing subnet a corresponding subnet from 10.0.0.0/8. In this case I'll assign 10.0.0.0/24 to A and 10.0.1.0/24 to B. Note the physical subnet does not change, instead what has changed is the address by which every subnet sees every other subnet. Every subnet continues to use its existing physical subnet but when communicating with another subnet it always uses the virtual/NAT subnet. For example when a PC 192.168.1.x on A wants to talk with PC 192.168.1.y on B, it addresses the PC on B as 10.0.1.y since 10.0.1.0/24 is the virtual/NAT subnet for B. Thus the IP header would be :- IP(192.168.1.x,10.0.1.y) which the IPsec on A would NAT to be :- IP(10.0.0.x,192.168.1.y) and then add the IPsec header :- IP(100.100.100.1,200.200.200.1) | ESP | IP(10.0.0.x,192.168.1.y) The IPsec on B would strip off the outer IPsec header and then just forward the traffic :- IP(10.0.0.x,192.168.1.y) For the NAT approach to work you have to NAT everything consistently. Also it relies on A (and B) having ALG support for any protocols that embed IP addresses within the IP payload (e.g. FTP, SIP/SDP, ... etc.) and if any of the subnets contain servers that are identified using DNS then a separate DNS is required to contain the virtual/NAT IPs for the servers. | |||||||||||||||||||
|
Posted by Svend on June 25, 2008, 8:03 am
Please log in for more thread options DustWolf wrote:
> Hello,
> > I am a network admin for a small company and am looking at a problem: > I need to find a solution for our employees connecting from different > locations around the world, to our company LAN, one way or another. > > We have been using PPTP (as built-in in windows) thus far, but our > problem is that people sometimes make connections from subnets that > match our subnet (the "192.168.0.x problem") and we cannot really > afford to change either. I have read that setting up a VPN-like > solution trough IPSec would overcome the problem. Is this true? > > I understand there are some issues like certificate deployment, but I > do not believe this could be a problem considering the point that all > company computers start their life in my office. I am not too eager to > go for any extra commercial solutions and am hoping to be able to use > what we already have (windows server ISA / windows XP workstations). > > Can IPSec tunnels also be used to link LANs (two LANs filled with > workstations, same subnet, two machines used as gateways for N-way > communication)? > > Thanks for any help in advance. Yes i think that some ipsec routers can do that. I think that cisco or is one of them. Have a look at Source NAT and Destination NAT. -- Svend | |||||||||||||||||||
| Similar Threads | Posted |
| IPSec as solution to subnet problem | May 21, 2008, 9:07 am |
| IPSec Fallback mechanism subnet/supernet | January 8, 2008, 11:17 pm |
| IPSec Tunnel strange problem | March 22, 2006, 1:43 pm |
| Looking for hardware VPN solution | October 24, 2006, 12:32 am |
| vpn hardware solution | September 10, 2008, 9:36 am |
| Solution for securing VPN using 2-factor SMS Authentication | June 11, 2005, 6:56 am |
| VPN-X: Simple but useful Cross-platform P2P IP VPN solution | November 10, 2007, 11:12 am |
| Fuel Solution-Make Money 87405 | August 4, 2008, 12:12 pm |
| IKE and IPSEC | October 10, 2007, 8:54 am |
| Need help routing IPX over IPsec | February 11, 2005, 2:35 am |
| GRE traffic over PIX IPSEC VPN | June 6, 2005, 8:55 pm |
| IPSec between different firewalls - help/advice | July 14, 2005, 11:31 pm |
| IPSec over L2TP - Snapgear + NAT | December 2, 2005, 3:07 am |
| Bintec VPN 25 - Zyxel VPN IPSec | December 2, 2005, 4:30 am |
| IPSEC VPN using Belgian EID Card ? | March 21, 2006, 9:06 am |
>
> I am a network admin for a small company and am looking at a problem:
> I need to find a solution for our employees connecting from different
> locations around the world, to our company LAN, one way or another.
>
> We have been using PPTP (as built-in in windows) thus far, but our
> problem is that people sometimes make connections from subnets that
> match our subnet (the "192.168.0.x problem") and we cannot really
> afford to change either. I have read that setting up a VPN-like
> solution trough IPSec would overcome the problem. Is this true?
>
> I understand there are some issues like certificate deployment, but I
> do not believe this could be a problem considering the point that all
> company computers start their life in my office. I am not too eager to
> go for any extra commercial solutions and am hoping to be able to use
> what we already have (windows server ISA / windows XP workstations).
>
> Can IPSec tunnels also be used to link LANs (two LANs filled with
> workstations, same subnet, two machines used as gateways for N-way
> communication)?
>
> Thanks for any help in advance.