From: <dtrott@mailshell.com>
To: drew.einhorn@starband.net
Cc: netfilter@lists.netfilter.org
Subject: vpn between networks with private ip network segment conflicts
Date: Wed, 28 May 2003 01:32:20 -0700 [thread overview]
Message-ID: <1054110740.3ed474140ea8c@www.mailshell.com> (raw)
If:
- You Don't need to access the whole remote network
(just a limited number of servers)
- Those servers don't clash with anything on your local network
or its not too painful to move one or two hosts
so they don't clash.
You may be able to kludge it with some proxy arping.
You will need to have:
- Both routers on non clashing addresses.
- Both routers proxy arp for the other one.
- Your local router will have to proxy arp for all the
servers you wish to access.
- You will need to SNAT all outgoing VPN traffic to your
local routers IP (to avoid conflicts on the remote lan).
Reverse local and remote for access in the oposite direction.
Note: I have not tested all this together, the closest I
have tried is:
My home network uses:
10.1.100.0/24
My work network uses:
10.1.0.0/16
I proxy arp the subnet on the router at work, but my home router doesn't
need to proxy arp or SNAT because the netmask is smaller and there are no
conflicts on the work LAN.
This will save you having to mess with the DNS, but to be honest I think
the least painful route (in the long run) is just to re-number one of
the networks.
This is especially true if you are planing to do anthing with
MS networking, because MS networking really doesn't like NAT.
David
PS If bi-directional access is not required you may be able to
SNAT to a virtual IP (per some of the other posts), this will save
the remote router from needing to proxy arp.
Drew Einhorn Wrote:
> My LAN uses network segments 192.168.0.0/24, 192.168.1.0/24, etc.
> So does the remote network I need to vpn to (probably using some flavor
> of pptp).
>
> Is there an odd nat variant that will solve this problem.
> Probably need to do some kind of dns transformation on each side.
> Is there any easy solution. Perhaps it would be easier (but not easy)
> to get the network segments renumbered on one end or the other.
>
> --
> Drew Einhorn <drew.einhorn@starband.net>
next reply other threads:[~2003-05-28 8:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-28 8:32 dtrott [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-05-28 6:48 vpn between networks with private ip network segment conflicts George Vieira
2003-05-27 22:13 George Vieira
2003-05-27 16:03 Drew Einhorn
2003-05-27 16:30 ` Ray Leach
2003-05-27 17:34 ` Drew Einhorn
2003-05-28 6:37 ` Ray Leach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1054110740.3ed474140ea8c@www.mailshell.com \
--to=dtrott@mailshell.com \
--cc=drew.einhorn@starband.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox