vpn between networks with private ip network segment conflicts

vpn between networks with private ip network segment conflicts

[Drew Einhorn]

My LAN uses network segments 192.168.0.0/24, 192.168.1.0/24, etc.
So does the remote network I need to vpn to (probably using some flavor
of pptp).

Is there an odd nat variant that will solve this problem.
Probably need to do some kind of dns transformation on each side.

Is there any easy solution.  Perhaps it would be easier (but not easy)
to get the network segments renumbered on one end or the other.

-- 
Drew Einhorn <drew.einhorn@starband.net>

Re: vpn between networks with private ip network segment conflicts

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 561 bytes --]

On Tue, 2003-05-27 at 18:03, Drew Einhorn wrote:
> My LAN uses network segments 192.168.0.0/24, 192.168.1.0/24, etc.
> So does the remote network I need to vpn to (probably using some flavor
> of pptp).
> 
> Is there an odd nat variant that will solve this problem.
> Probably need to do some kind of dns transformation on each side.
> 
> Is there any easy solution.  Perhaps it would be easier (but not easy)
> to get the network segments renumbered on one end or the other.

Oooo ... I would go with the second option. Get one end renumbered.



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: vpn between networks with private ip network segment conflicts

[Drew Einhorn]

Oooo ... I was afraid that was going to be the answer.

I'll wait a bit and see if someone has a better idea before starting
in on renumbering a network.

On Tue, 2003-05-27 at 10:30, Ray Leach wrote:
> On Tue, 2003-05-27 at 18:03, Drew Einhorn wrote:
> > My LAN uses network segments 192.168.0.0/24, 192.168.1.0/24, etc.
> > So does the remote network I need to vpn to (probably using some flavor
> > of pptp).
> > 
> > Is there an odd nat variant that will solve this problem.
> > Probably need to do some kind of dns transformation on each side.
> > 
> > Is there any easy solution.  Perhaps it would be easier (but not easy)
> > to get the network segments renumbered on one end or the other.
> 
> Oooo ... I would go with the second option. Get one end renumbered.
-- 
Drew Einhorn <drew.einhorn@starband.net>

Re: vpn between networks with private ip network segment conflicts

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1662 bytes --]

On Tue, 2003-05-27 at 19:34, Drew Einhorn wrote:
> Oooo ... I was afraid that was going to be the answer.
> 
> I'll wait a bit and see if someone has a better idea before starting
> in on renumbering a network.
> 
> On Tue, 2003-05-27 at 10:30, Ray Leach wrote:
> > On Tue, 2003-05-27 at 18:03, Drew Einhorn wrote:
> > > My LAN uses network segments 192.168.0.0/24, 192.168.1.0/24, etc.
> > > So does the remote network I need to vpn to (probably using some flavor
> > > of pptp).
> > > 
> > > Is there an odd nat variant that will solve this problem.
> > > Probably need to do some kind of dns transformation on each side.
> > > 
> > > Is there any easy solution.  Perhaps it would be easier (but not easy)
> > > to get the network segments renumbered on one end or the other.
> > 
> > Oooo ... I would go with the second option. Get one end renumbered.

Yes.

I had another thought (those are rare for me)

What if you created a network between the two networks. Like this:

Net1 <-> VPN (CIPE) <-> New NET <-> VPN (CIPE) <-> Net2

Then your routing would be to the new network.

Maybe use some kind of NAT rules to map the new net back to the dest
net. For example:

Net1.host1 (192.168.0.1) wants to connect to net2.host1 (192.168.0.1)
He actually connects to 10.0.0.1 and the VPN/Router1 does a SNAT to its
IP.
VPN/Router2 does a DNAT for the traffic from 10.0.0.1 back to
192.168.0.1

VPN/Router1 has to have a route for 10.0.0.1 pointing to VPN/Router2

Do the same on the other side.

I was thinking of something along the lines of the P-O-M 1:1 NAT patch.

Does this make sense, and might it work?

Ray


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: vpn between networks with private ip network segment conflicts

[George Vieira]

Nope, no better option.. Believe me, if you tried any funky iptables stuff (which I'll mention below) you will be thanking Ray for his option..


What you do is create a suedo IP network.. ie. as below (Hope this comes out on email)

192.168.0.0/24\_________________FW__FW__________________/192.168.0.0/24
192.168.1.0/24/  192.168.100.0/24    192.168.200.0/24   \192.168.1.0/24
                 192.168.101.0/24    192.168.201.0/24

You NAT both sides using a virtual network range and using p-o-m NETMAP module.

The Left tunnel server believes there is a network on the right side with 192.168.200.0 192.168.201.0 as routes the that network via the tunnel.
The Right tunnel server believes there is a network on the left side with 192.168.100.0 192.168.101.0 as routes the that network via the tunnel.

# Left Side Rules
iptables -t nat -A PREROUTING -d 192.168.100.0/24 -j NETMAP --to 192.168.0.0/24
iptables -t nat -A PREROUTING -d 192.168.101.0/24 -j NETMAP --to 192.168.1.0/24

# Right Side Rules
iptables -t nat -A PREROUTING -d 192.168.200.0/24 -j NETMAP --to 192.168.0.0/24
iptables -t nat -A PREROUTING -d 192.168.201.0/24 -j NETMAP --to 192.168.1.0/24

messy but it'll work... well it should!

Anybody thought of that?? Anybody tried it already?

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au


-----Original Message-----
From: Drew Einhorn [mailto:drew.einhorn@starband.net]
Sent: Wednesday, May 28, 2003 3:35 AM
To: Ray Leach
Cc: Netfilter Mailing List
Subject: Re: vpn between networks with private ip network segment
conflicts


Oooo ... I was afraid that was going to be the answer.

I'll wait a bit and see if someone has a better idea before starting
in on renumbering a network.

On Tue, 2003-05-27 at 10:30, Ray Leach wrote:
> On Tue, 2003-05-27 at 18:03, Drew Einhorn wrote:
> > My LAN uses network segments 192.168.0.0/24, 192.168.1.0/24, etc.
> > So does the remote network I need to vpn to (probably using some flavor
> > of pptp).
> > 
> > Is there an odd nat variant that will solve this problem.
> > Probably need to do some kind of dns transformation on each side.
> > 
> > Is there any easy solution.  Perhaps it would be easier (but not easy)
> > to get the network segments renumbered on one end or the other.
> 
> Oooo ... I would go with the second option. Get one end renumbered.
-- 
Drew Einhorn <drew.einhorn@starband.net>

RE: vpn between networks with private ip network segment conflicts

[George Vieira]

That's what I already said in my last post on this thread.. it's a virtual network which is basically known only to the 2 firewall and not assigned to any specific host, hence virtual ;)

but best use the NETMAP module otherwise you'll have a whole lot of rules to make....

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: Ray Leach [mailto:raymondl@knowledgefactory.co.za]
Sent: Wednesday, May 28, 2003 4:38 PM
To: Drew Einhorn
Cc: Netfilter Mailing List
Subject: Re: vpn between networks with private ip network segment
conflicts


Yes.

I had another thought (those are rare for me)

What if you created a network between the two networks. Like this:

Net1 <-> VPN (CIPE) <-> New NET <-> VPN (CIPE) <-> Net2

Then your routing would be to the new network.

Maybe use some kind of NAT rules to map the new net back to the dest
net. For example:

Net1.host1 (192.168.0.1) wants to connect to net2.host1 (192.168.0.1)
He actually connects to 10.0.0.1 and the VPN/Router1 does a SNAT to its
IP.
VPN/Router2 does a DNAT for the traffic from 10.0.0.1 back to
192.168.0.1

VPN/Router1 has to have a route for 10.0.0.1 pointing to VPN/Router2

Do the same on the other side.

I was thinking of something along the lines of the P-O-M 1:1 NAT patch.

Does this make sense, and might it work?

Ray

vpn between networks with private ip network segment conflicts

[dtrott]

If:
- You Don't need to access the whole remote network
  (just a limited number of servers)
- Those servers don't clash with anything on your local network 
  or its not too painful to move one or two hosts 
  so they don't clash.

You may be able to kludge it with some proxy arping.

You will need to have:
- Both routers on non clashing addresses.
- Both routers proxy arp for the other one.
- Your local router will have to proxy arp for all the
  servers you wish to access.
- You will need to SNAT all outgoing VPN traffic to your 
  local routers IP (to avoid conflicts on the remote lan).

Reverse local and remote for access in the oposite direction.

Note: I have not tested all this together, the closest I 
have tried is:

My home network uses:

10.1.100.0/24

My work network uses:

10.1.0.0/16

I proxy arp the subnet on the router at work, but my home router doesn't
need to proxy arp or SNAT because the netmask is smaller and there are no
conflicts on the work LAN. 


This will save you having to mess with the DNS, but to be honest I think 
the least painful route (in the long run) is just to re-number one of 
the networks. 

This is especially true if you are planing to do anthing with
MS networking, because MS networking really doesn't like NAT.


David


PS If bi-directional access is not required you may be able to 
SNAT to a virtual IP (per some of the other posts), this will save
the remote router from needing to proxy arp.


Drew Einhorn Wrote:
> My LAN uses network segments 192.168.0.0/24, 192.168.1.0/24, etc.
> So does the remote network I need to vpn to (probably using some flavor
> of pptp).
>
> Is there an odd nat variant that will solve this problem.
> Probably need to do some kind of dns transformation on each side.

> Is there any easy solution.  Perhaps it would be easier (but not easy)
> to get the network segments renumbered on one end or the other.
>
> -- 
> Drew Einhorn <drew.einhorn@starband.net>