PDA

View Full Version : IPSec as solution to subnet problem



DustWolf
05-21-08, 08:07 AM
Hello,

I am a network admin for a small company and am looking at a problem:
I need to find a solution for our employees connecting from different
locations around the world, to our company LAN, one way or another.

We have been using PPTP (as built-in in windows) thus far, but our
problem is that people sometimes make connections from subnets that
match our subnet (the "192.168.0.x problem") and we cannot really
afford to change either. I have read that setting up a VPN-like
solution trough IPSec would overcome the problem. Is this true?

I understand there are some issues like certificate deployment, but I
do not believe this could be a problem considering the point that all
company computers start their life in my office. I am not too eager to
go for any extra commercial solutions and am hoping to be able to use
what we already have (windows server ISA / windows XP workstations).

Can IPSec tunnels also be used to link LANs (two LANs filled with
workstations, same subnet, two machines used as gateways for N-way
communication)?

Thanks for any help in advance.

Mike Drechsler - SPAM PROTECTED EMAIL
05-22-08, 01:49 AM
dust wolf wrote:
> Hello,
>
> I am a network admin for a small company and am looking at a problem:
> I need to find a solution for our employees connecting from different
> locations around the world, to our company LAN, one way or another.
>
> We have been using PPTP (as built-in in windows) thus far, but our
> problem is that people sometimes make connections from subnets that
> match our subnet (the "192.168.0.x problem") and we cannot really
> afford to change either. I have read that setting up a VPN-like
> solution trough IPSec would overcome the problem. Is this true?
>
> I understand there are some issues like certificate deployment, but I
> do not believe this could be a problem considering the point that all
> company computers start their life in my office. I am not too eager to
> go for any extra commercial solutions and am hoping to be able to use
> what we already have (windows server ISA / windows XP workstations).
>
> Can IPSec tunnels also be used to link LANs (two LANs filled with
> workstations, same subnet, two machines used as gateways for N-way
> communication)?
>
> Thanks for any help in advance.

Same problem I'm afraid. You need to renumber a site. Always avoid
using 192.168.0.x and 192.168.1.x for a company network.


--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup2008@-deletethispart-.upcraft.com)

Stephen J. Bevan
05-25-08, 07:17 AM
DustWolf <jure.sah@bia.si> writes:
> Can IPSec tunnels also be used to link LANs (two LANs filled with
> workstations, same subnet, two machines used as gateways for N-way
> communication)?

As Mike noted you have to re-number something. Either re-number one
or more of the subnets or if you don't want to change the physical
subnet, the change it virtually by using 1:1 NAT. Changing the
physical subnet may be painful but if at all possible that's what I'd
do. NAT is something of a last resort when you absolutely cannot
change the physical subnet.

The following explains how NAT would work in case "use 1:1 NAT" still
left you wondering how it is done. In the simplest case where you
have two identical subnets at two sites that want to talk to each
other :-

192.168.1.1/24
A
100.100.100.1
|
internet
|
200.200.200.1
B
192.168.1.1/24

Then pick some other subnet, I'll use 10.0.0.0/8, and assign every
existing subnet a corresponding subnet from 10.0.0.0/8. In this case
I'll assign 10.0.0.0/24 to A and 10.0.1.0/24 to B. Note the physical
subnet does not change, instead what has changed is the address by
which every subnet sees every other subnet. Every subnet continues to
use its existing physical subnet but when communicating with another
subnet it always uses the virtual/NAT subnet. For example when a PC
192.168.1.x on A wants to talk with PC 192.168.1.y on B, it addresses
the PC on B as 10.0.1.y since 10.0.1.0/24 is the virtual/NAT subnet
for B. Thus the IP header would be :-

IP(192.168.1.x,10.0.1.y)

which the IPsec on A would NAT to be :-

IP(10.0.0.x,192.168.1.y)

and then add the IPsec header :-

IP(100.100.100.1,200.200.200.1) | ESP | IP(10.0.0.x,192.168.1.y)

The IPsec on B would strip off the outer IPsec header and then just
forward the traffic :-

IP(10.0.0.x,192.168.1.y)

For the NAT approach to work you have to NAT everything consistently.
Also it relies on A (and B) having ALG support for any protocols that
embed IP addresses within the IP payload (e.g. FTP, SIP/SDP, ... etc.)
and if any of the subnets contain servers that are identified using
DNS then a separate DNS is required to contain the virtual/NAT IPs for
the servers.

Svend
06-25-08, 07:03 AM
DustWolf wrote:
> Hello,
>
> I am a network admin for a small company and am looking at a problem:
> I need to find a solution for our employees connecting from different
> locations around the world, to our company LAN, one way or another.
>
> We have been using PPTP (as built-in in windows) thus far, but our
> problem is that people sometimes make connections from subnets that
> match our subnet (the "192.168.0.x problem") and we cannot really
> afford to change either. I have read that setting up a VPN-like
> solution trough IPSec would overcome the problem. Is this true?
>
> I understand there are some issues like certificate deployment, but I
> do not believe this could be a problem considering the point that all
> company computers start their life in my office. I am not too eager to
> go for any extra commercial solutions and am hoping to be able to use
> what we already have (windows server ISA / windows XP workstations).
>
> Can IPSec tunnels also be used to link LANs (two LANs filled with
> workstations, same subnet, two machines used as gateways for N-way
> communication)?
>
> Thanks for any help in advance.


Yes i think that some ipsec routers can do that. I think that cisco or
is one of them. Have a look at Source NAT and Destination NAT.

--
Svend