IPSec as solution to subnet problem

Hello,

I am a network admin for a small company and am looking at a problem: I need to find a solution for our employees connecting from different locations around the world, to our company LAN, one way or another.

We have been using PPTP (as built-in in windows) thus far, but our problem is that people sometimes make connections from subnets that match our subnet (the "192.168.0.x problem") and we cannot really afford to change either. I have read that setting up a VPN-like solution trough IPSec would overcome the problem. Is this true?

I understand there are some issues like certificate deployment, but I do not believe this could be a problem considering the point that all company computers start their life in my office. I am not too eager to go for any extra commercial solutions and am hoping to be able to use what we already have (windows server ISA / windows XP workstations).

Can IPSec tunnels also be used to link LANs (two LANs filled with workstations, same subnet, two machines used as gateways for N-way communication)?

Thanks for any help in advance.

Reply to
DustWolf
Loading thread data ...

Same problem I'm afraid. You need to renumber a site. Always avoid using 192.168.0.x and 192.168.1.x for a company network.

Reply to
Mike Drechsler - SPAM PROTECTE

As Mike noted you have to re-number something. Either re-number one or more of the subnets or if you don't want to change the physical subnet, the change it virtually by using 1:1 NAT. Changing the physical subnet may be painful but if at all possible that's what I'd do. NAT is something of a last resort when you absolutely cannot change the physical subnet.

The following explains how NAT would work in case "use 1:1 NAT" still left you wondering how it is done. In the simplest case where you have two identical subnets at two sites that want to talk to each other :-

192.168.1.1/24 A 100.100.100.1 | internet | 200.200.200.1 B 192.168.1.1/24

Then pick some other subnet, I'll use 10.0.0.0/8, and assign every existing subnet a corresponding subnet from 10.0.0.0/8. In this case I'll assign 10.0.0.0/24 to A and 10.0.1.0/24 to B. Note the physical subnet does not change, instead what has changed is the address by which every subnet sees every other subnet. Every subnet continues to use its existing physical subnet but when communicating with another subnet it always uses the virtual/NAT subnet. For example when a PC

192.168.1.x on A wants to talk with PC 192.168.1.y on B, it addresses the PC on B as 10.0.1.y since 10.0.1.0/24 is the virtual/NAT subnet for B. Thus the IP header would be :-

IP(192.168.1.x,10.0.1.y)

which the IPsec on A would NAT to be :-

IP(10.0.0.x,192.168.1.y)

and then add the IPsec header :-

IP(100.100.100.1,200.200.200.1) | ESP | IP(10.0.0.x,192.168.1.y)

The IPsec on B would strip off the outer IPsec header and then just forward the traffic :-

IP(10.0.0.x,192.168.1.y)

For the NAT approach to work you have to NAT everything consistently. Also it relies on A (and B) having ALG support for any protocols that embed IP addresses within the IP payload (e.g. FTP, SIP/SDP, ... etc.) and if any of the subnets contain servers that are identified using DNS then a separate DNS is required to contain the virtual/NAT IPs for the servers.

Reply to
Stephen J. Bevan

Yes i think that some ipsec routers can do that. I think that cisco or is one of them. Have a look at Source NAT and Destination NAT.

Reply to
Svend

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.