home bbs files messages ]

Forums before death by AOL, social media and spammers... "We can't have nice things"

   comp.dcom.vpn      VPN protocols, clients, awesomeness      2,348 messages   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]

   Message 2,259 of 2,348   
   Stephen J. Bevan to DustWolf   
   Re: IPSec as solution to subnet problem   
   25 May 08 12:17:23   
   
   0cc4cee4   
   From: stephen@dino.dnsalias.com   
      
   DustWolf  writes:   
   > Can IPSec tunnels also be used to link LANs (two LANs filled with   
   > workstations, same subnet, two machines used as gateways for N-way   
   > communication)?   
      
   As Mike noted you have to re-number something.  Either re-number one   
   or more of the subnets or if you don't want to change the physical   
   subnet, the change it virtually by using 1:1 NAT.  Changing the   
   physical subnet may be painful but if at all possible that's what I'd   
   do.  NAT is something of a last resort when you absolutely cannot   
   change the physical subnet.   
      
   The following explains how NAT would work in case "use 1:1 NAT" still   
   left you wondering how it is done.  In the simplest case where you   
   have two identical subnets at two sites that want to talk to each   
   other :-   
      
     192.168.1.1/24   
         A   
     100.100.100.1   
         |   
      internet   
         |   
     200.200.200.1   
         B   
     192.168.1.1/24   
      
   Then pick some other subnet, I'll use 10.0.0.0/8, and assign every   
   existing subnet a corresponding subnet from 10.0.0.0/8.  In this case   
   I'll assign 10.0.0.0/24 to A and 10.0.1.0/24 to B.  Note the physical   
   subnet does not change, instead what has changed is the address by   
   which every subnet sees every other subnet.  Every subnet continues to   
   use its existing physical subnet but when communicating with another   
   subnet it always uses the virtual/NAT subnet.  For example when a PC   
   192.168.1.x on A wants to talk with PC 192.168.1.y on B, it addresses   
   the PC on B as 10.0.1.y since 10.0.1.0/24 is the virtual/NAT subnet   
   for B.  Thus the IP header would be :-   
      
     IP(192.168.1.x,10.0.1.y)   
      
   which the IPsec on A would NAT to be :-   
      
     IP(10.0.0.x,192.168.1.y)   
      
   and then add the IPsec header :-   
      
     IP(100.100.100.1,200.200.200.1) | ESP | IP(10.0.0.x,192.168.1.y)   
      
   The IPsec on B would strip off the outer IPsec header and then just   
   forward the traffic :-   
      
     IP(10.0.0.x,192.168.1.y)   
      
   For the NAT approach to work you have to NAT everything consistently.   
   Also it relies on A (and B) having ALG support for any protocols that   
   embed IP addresses within the IP payload (e.g. FTP, SIP/SDP, ... etc.)   
   and if any of the subnets contain servers that are identified using   
   DNS then a separate DNS is required to contain the virtual/NAT IPs for   
   the servers.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)   

[   << oldest   |   < older   |   list   |   newer >   |   newest >>   ]


(c) 1994,  bbs@darkrealms.ca