Results 1 to 4 of 4

Thread: IPSec as solution to subnet problem

  1. #1
    DustWolf
    Guest

    IPSec as solution to subnet problem

    Hello,

    I am a network admin for a small company and am looking at a problem:
    I need to find a solution for our employees connecting from different
    locations around the world, to our company LAN, one way or another.

    We have been using PPTP (as built-in in windows) thus far, but our
    problem is that people sometimes make connections from subnets that
    match our subnet (the "192.168.0.x problem") and we cannot really
    afford to change either. I have read that setting up a VPN-like
    solution trough IPSec would overcome the problem. Is this true?

    I understand there are some issues like certificate deployment, but I
    do not believe this could be a problem considering the point that all
    company computers start their life in my office. I am not too eager to
    go for any extra commercial solutions and am hoping to be able to use
    what we already have (windows server ISA / windows XP workstations).

    Can IPSec tunnels also be used to link LANs (two LANs filled with
    workstations, same subnet, two machines used as gateways for N-way
    communication)?

    Thanks for any help in advance.

  2. #2
    Mike Drechsler - SPAM PROTECTED EMAIL
    Guest

    Re: IPSec as solution to subnet problem

    dust wolf wrote:
    > Hello,
    >
    > I am a network admin for a small company and am looking at a problem:
    > I need to find a solution for our employees connecting from different
    > locations around the world, to our company LAN, one way or another.
    >
    > We have been using PPTP (as built-in in windows) thus far, but our
    > problem is that people sometimes make connections from subnets that
    > match our subnet (the "192.168.0.x problem") and we cannot really
    > afford to change either. I have read that setting up a VPN-like
    > solution trough IPSec would overcome the problem. Is this true?
    >
    > I understand there are some issues like certificate deployment, but I
    > do not believe this could be a problem considering the point that all
    > company computers start their life in my office. I am not too eager to
    > go for any extra commercial solutions and am hoping to be able to use
    > what we already have (windows server ISA / windows XP workstations).
    >
    > Can IPSec tunnels also be used to link LANs (two LANs filled with
    > workstations, same subnet, two machines used as gateways for N-way
    > communication)?
    >
    > Thanks for any help in advance.


    Same problem I'm afraid. You need to renumber a site. Always avoid
    using 192.168.0.x and 192.168.1.x for a company network.


    --
    WARNING! Email address has been altered for spam resistance.
    Please remove the -deletethispart-. section before replying directly.
    Mike Drechsler (mike-newsgroup2008@-deletethispart-.upcraft.com)

  3. #3
    Stephen J. Bevan
    Guest

    Re: IPSec as solution to subnet problem

    DustWolf <jure.sah@bia.si> writes:
    > Can IPSec tunnels also be used to link LANs (two LANs filled with
    > workstations, same subnet, two machines used as gateways for N-way
    > communication)?


    As Mike noted you have to re-number something. Either re-number one
    or more of the subnets or if you don't want to change the physical
    subnet, the change it virtually by using 1:1 NAT. Changing the
    physical subnet may be painful but if at all possible that's what I'd
    do. NAT is something of a last resort when you absolutely cannot
    change the physical subnet.

    The following explains how NAT would work in case "use 1:1 NAT" still
    left you wondering how it is done. In the simplest case where you
    have two identical subnets at two sites that want to talk to each
    other :-

    192.168.1.1/24
    A
    100.100.100.1
    |
    internet
    |
    200.200.200.1
    B
    192.168.1.1/24

    Then pick some other subnet, I'll use 10.0.0.0/8, and assign every
    existing subnet a corresponding subnet from 10.0.0.0/8. In this case
    I'll assign 10.0.0.0/24 to A and 10.0.1.0/24 to B. Note the physical
    subnet does not change, instead what has changed is the address by
    which every subnet sees every other subnet. Every subnet continues to
    use its existing physical subnet but when communicating with another
    subnet it always uses the virtual/NAT subnet. For example when a PC
    192.168.1.x on A wants to talk with PC 192.168.1.y on B, it addresses
    the PC on B as 10.0.1.y since 10.0.1.0/24 is the virtual/NAT subnet
    for B. Thus the IP header would be :-

    IP(192.168.1.x,10.0.1.y)

    which the IPsec on A would NAT to be :-

    IP(10.0.0.x,192.168.1.y)

    and then add the IPsec header :-

    IP(100.100.100.1,200.200.200.1) | ESP | IP(10.0.0.x,192.168.1.y)

    The IPsec on B would strip off the outer IPsec header and then just
    forward the traffic :-

    IP(10.0.0.x,192.168.1.y)

    For the NAT approach to work you have to NAT everything consistently.
    Also it relies on A (and B) having ALG support for any protocols that
    embed IP addresses within the IP payload (e.g. FTP, SIP/SDP, ... etc.)
    and if any of the subnets contain servers that are identified using
    DNS then a separate DNS is required to contain the virtual/NAT IPs for
    the servers.

  4. #4
    Svend
    Guest

    Re: IPSec as solution to subnet problem

    DustWolf wrote:
    > Hello,
    >
    > I am a network admin for a small company and am looking at a problem:
    > I need to find a solution for our employees connecting from different
    > locations around the world, to our company LAN, one way or another.
    >
    > We have been using PPTP (as built-in in windows) thus far, but our
    > problem is that people sometimes make connections from subnets that
    > match our subnet (the "192.168.0.x problem") and we cannot really
    > afford to change either. I have read that setting up a VPN-like
    > solution trough IPSec would overcome the problem. Is this true?
    >
    > I understand there are some issues like certificate deployment, but I
    > do not believe this could be a problem considering the point that all
    > company computers start their life in my office. I am not too eager to
    > go for any extra commercial solutions and am hoping to be able to use
    > what we already have (windows server ISA / windows XP workstations).
    >
    > Can IPSec tunnels also be used to link LANs (two LANs filled with
    > workstations, same subnet, two machines used as gateways for N-way
    > communication)?
    >
    > Thanks for any help in advance.



    Yes i think that some ipsec routers can do that. I think that cisco or
    is one of them. Have a look at Source NAT and Destination NAT.

    --
    Svend


Similar Threads

  1. Problem while establishing ISAKMP in ipsec
    By universalTechie in forum Network Security
    Replies: 0
    Last Post: 04-29-08, 01:39 AM
  2. Netgear Router problem, is this the solution ?
    By foot in forum Wireless Networks & Routers
    Replies: 1
    Last Post: 03-06-08, 11:48 AM
  3. France's solution to that ghastly problem...
    By Brk in forum General Discussion Board
    Replies: 1
    Last Post: 11-25-07, 09:02 PM
  4. Simple Problem... Not so simple Solution...
    By Psycobean in forum Wireless Networks & Routers
    Replies: 4
    Last Post: 07-10-07, 02:17 PM
  5. Urgent Subnet mask Problem on my DLG-4100 gaming router
    By vash121 in forum Wireless Networks & Routers
    Replies: 0
    Last Post: 01-03-07, 11:42 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •