ITLighthouse
asked on
VPN to remote network on same subnet as local network
Hi,
My local subnet is 10.0.1.x and I'm trying to establish a dial-up vpn connection to a network that is also a 10.0.1.x subnet. I connect fine but can't access any resources on the remote subnet - which is expected. All the research I've done says it's best to change one of the subnets - and I agree, but does anyone know if there are any work-arounds without changing one of the subnets? Some have said it is possible to add a static route to get it to work, but they don't give details, or the instructions they give don't apply to my specific situation. If my local subnet is 10.0.1.x and I'm assigned 10.0.1.210 from the vpn connection, and I want to communicate with 10.0.1.6 that is on the remote subnet, how can I tell XP to route traffic destined to 10.0.1.6 through the vpn gateway? Right now it assumes that 10.0.1.6 is on the local subnet so it doesn't forward packets to the gateway.
I've tried> "route add 10.0.1.6 mask 255.255.255.255 10.0.1.210" but it gives an error.
Is there any way around this for those rare instances when both are on the same subnet and you can't change the ip scheme?
Thanks.
My local subnet is 10.0.1.x and I'm trying to establish a dial-up vpn connection to a network that is also a 10.0.1.x subnet. I connect fine but can't access any resources on the remote subnet - which is expected. All the research I've done says it's best to change one of the subnets - and I agree, but does anyone know if there are any work-arounds without changing one of the subnets? Some have said it is possible to add a static route to get it to work, but they don't give details, or the instructions they give don't apply to my specific situation. If my local subnet is 10.0.1.x and I'm assigned 10.0.1.210 from the vpn connection, and I want to communicate with 10.0.1.6 that is on the remote subnet, how can I tell XP to route traffic destined to 10.0.1.6 through the vpn gateway? Right now it assumes that 10.0.1.6 is on the local subnet so it doesn't forward packets to the gateway.
I've tried> "route add 10.0.1.6 mask 255.255.255.255 10.0.1.210" but it gives an error.
Is there any way around this for those rare instances when both are on the same subnet and you can't change the ip scheme?
Thanks.
Afraid a very basic rule with VPN's is both subnets must be different. The problem is the routing devices do not know to which subnet to send the packets, local or remote , if they are the same.
You have not specified how your VPN has been created, but sounds like you may be using a Windows VPN server and client. If so sometimes the Windows VPN client will allow you to connect to the remote VPN server by forcing all traffic through the VPN default gateway. A route is not needed but you do need to make sure the "use default gateway" option is enabled (this actually creates the route). It is enabled by default, but make sure it is checked. This may not work for you, but does in some situations;
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check "Use default gateway on remote network"
You have not specified how your VPN has been created, but sounds like you may be using a Windows VPN server and client. If so sometimes the Windows VPN client will allow you to connect to the remote VPN server by forcing all traffic through the VPN default gateway. A route is not needed but you do need to make sure the "use default gateway" option is enabled (this actually creates the route). It is enabled by default, but make sure it is checked. This may not work for you, but does in some situations;
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check "Use default gateway on remote network"
What kind of VPN are you using?
"yes" if you are using a Cisco site-to-site VPN
"yes" if you are using a Cisco site-to-site VPN
ASKER
Thanks for the responses.
Typically, our clients have a firewall\router that passes vpn requests to a Windows server configured for Routing and Remote Access. The type of vpn is pptp and we use the native windows dial-up from XP to establish the connection. We use this method for remote support and travel around a lot. Sometimes the LAN we're on happens to be the same subnet as the network of a client we need to connect to. Some forums I've seen talk about using the route command to create a peer-to-peer static route - saying that it is the only way around the problem. Supposedly, in XP you can create a static route to tell it to route to a specific IP using a different gateway.
I've tried the "use default gateway on remote network" both ways and get the same result.
Typically, our clients have a firewall\router that passes vpn requests to a Windows server configured for Routing and Remote Access. The type of vpn is pptp and we use the native windows dial-up from XP to establish the connection. We use this method for remote support and travel around a lot. Sometimes the LAN we're on happens to be the same subnet as the network of a client we need to connect to. Some forums I've seen talk about using the route command to create a peer-to-peer static route - saying that it is the only way around the problem. Supposedly, in XP you can create a static route to tell it to route to a specific IP using a different gateway.
I've tried the "use default gateway on remote network" both ways and get the same result.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Policy Based Nat should allow you to do that if your devices are capable of doing that.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Ok, so I accept the answer that what I want to do is not possible. But I'm still curious about what is said on a few forums I found such as the following:
http://marc.theaimsgroup.com/?l=vpn&m=110267670712032&w=2
The impression I get is that while you can use XP's route command to create a route to a specific network, you can also use it to create a route to a specific host - some have called it peer to peer routing. Basically you specify the ip of the host, a 32 bit mask (which is default if you don't specify a mask) and the gateway to reach that host.
I suppose that even if I was able pass local packets along a different route, the server on the other end would need the same modification to know where to route the response. Otherwise, it would think the target was on its local network.
http://marc.theaimsgroup.com/?l=vpn&m=110267670712032&w=2
The impression I get is that while you can use XP's route command to create a route to a specific network, you can also use it to create a route to a specific host - some have called it peer to peer routing. Basically you specify the ip of the host, a 32 bit mask (which is default if you don't specify a mask) and the gateway to reach that host.
I suppose that even if I was able pass local packets along a different route, the server on the other end would need the same modification to know where to route the response. Otherwise, it would think the target was on its local network.
There are a series of issues at play, but all relate to "confusion" as to where to send the packets, when the subnets are similar.
Before going any further is 10.0.1.6 the VPN server? If not one additional issue is the if the packet reaches the remote device it will reply to the default gateway, not the VPN client, and the packet is lost.
The proper solution yo your problem is to change the corporate site to something less common, as difficult a task as that might be. However, I wouldn't think 10.0.1.0 is that common, at least not like 192.168.0-2.0 or 10.0.0.0
Before going any further is 10.0.1.6 the VPN server? If not one additional issue is the if the packet reaches the remote device it will reply to the default gateway, not the VPN client, and the packet is lost.
The proper solution yo your problem is to change the corporate site to something less common, as difficult a task as that might be. However, I wouldn't think 10.0.1.0 is that common, at least not like 192.168.0-2.0 or 10.0.0.0
ASKER
10.0.1.6 is not the vpn server, it's just another server on the network. At this particular client, a PIX firewall acts as the vpn endpoint. The reason I was asking was because I was at a particular site and would have liked to access that server to make a quick configuration change remotely, but the location I was at happened to be on the same subnet as the remote location I needed to connect to. I was just looking for a quick and dirty way to connect to that server while at that location. The proper solution is to change one of the subnets, but I wasn't going to do that just for a one-time convenience.
If there was a solution, I figured it would be an handy little "trick" in case I run into a similar situation in the future since I travel a lot and do a lot of remote support.
Thanks anyway.
If there was a solution, I figured it would be an handy little "trick" in case I run into a similar situation in the future since I travel a lot and do a lot of remote support.
Thanks anyway.
The PIX endpoint could be configured to work with the situation, but given that you are using MS PPTP client you have some other options, namely the route add option.
You can try this after connecting to the VPN
c:\>ipconfig <== note the IP address of your VPN connection
c:\>route add 10.0.1.6 mask 255.255.255.255 10.0.1.xx <== where .xx is your own VPN connection IP
This assumes that your VPN client is also a 10.0.1.x IP address....
You can try this after connecting to the VPN
c:\>ipconfig <== note the IP address of your VPN connection
c:\>route add 10.0.1.6 mask 255.255.255.255 10.0.1.xx <== where .xx is your own VPN connection IP
This assumes that your VPN client is also a 10.0.1.x IP address....
Would have been good to know sooner this was a Pix/Cisco VPN, as none of my above comments are related to your configuration, other than the concept.
Perhaps some of the others more familiar with Cisco configurations have a work around. As a rule it is not recommended or possible, but some of the above imply under certain circumstances it may be possible.
I have no problem with you asking the moderators to re-open the question and remove "accepted" from the comment above.
https://www.experts-exchange.com/help.jsp#hi17
Perhaps some of the others more familiar with Cisco configurations have a work around. As a rule it is not recommended or possible, but some of the above imply under certain circumstances it may be possible.
I have no problem with you asking the moderators to re-open the question and remove "accepted" from the comment above.
https://www.experts-exchange.com/help.jsp#hi17
ASKER
Yes, the route add command is exactly what I was curious about. I've tried exactly what you said already, and it gives an error. BTW... you don't need to specify a mask if you want a 32 bit mask - it is default.
Thanks anyway.
Thanks anyway.
Sorry lrmoore, didn't refresh. Hoping you or Rajesh would jump in.
--Rob
--Rob
ASKER
RobWill, this is our only client that has a PIX firewall. I was looking for a general solution that would work for a variety of situations. Your comments confirmed what I already suspected. Any thoughts on what Irmoore said? That is what I tried in the first place and it didn't work.
>>"Any thoughts on what Irmoore said? "
lrmoore is the master ! I voice opinions, he speaks from the VPN gospels <G>, especially when Cisco is being discussed. Rajesh, is right up there too, in the Cisco world.
In my experience what you want to do is not possible, at least on the configurations I have worked on. Only contacting the VPN serer itself with the Windows VPN configuration has ever worked for me. Having said that, my knowledge of Cisco is limited to some very basic configurations, so it may be configurable.
lrmoore is the master ! I voice opinions, he speaks from the VPN gospels <G>, especially when Cisco is being discussed. Rajesh, is right up there too, in the Cisco world.
In my experience what you want to do is not possible, at least on the configurations I have worked on. Only contacting the VPN serer itself with the Windows VPN configuration has ever worked for me. Having said that, my knowledge of Cisco is limited to some very basic configurations, so it may be configurable.
ASKER
Ok, let's forget I said anything about Cisco. What about the route add command? After connected to the vpn I tried "route add 10.0.1.6 mask 255.255.255.255 10.0.1.210" and it wouldn't take. It said parameter is invalid.
Personally I don't see where the route on the client machine is necessary. Your VPN can be configured with or without split-tunneling. Split-tunneling allows access to the local and remote networks simultaneously. Most clients, and most sys admins do not enable split tunneling as there are huge security risks in doing so. Checking the box on the "default gateway option", on the windows client disables split tunneling.
If Split-tunneling is enabled, you cannot contact the remote network as the subnets are the same and with the local network accessible, all traffic will not leave the local network.
If split-tunneling is not enabled, ALL traffic will be forced to the remote network through the VPN default gateway (10.0.1.210) regardless. Connect the VPN and do a tracert, you should see this.
Once the packet is sent over the tunnel the reply however, will likely not be sent to the client machine but rather the corporate network's default gateway. Therefore, in my opinion you would need the route on that machine pointing to the remote client:
route add 10.0.1.210 mask 255.255.255.255 <corporate VPN gateway>
However, that is just an opinion, and if it were to work, I don't see as terribly useful unless all clients have a static IP, and there is a route for each client.
If Split-tunneling is enabled, you cannot contact the remote network as the subnets are the same and with the local network accessible, all traffic will not leave the local network.
If split-tunneling is not enabled, ALL traffic will be forced to the remote network through the VPN default gateway (10.0.1.210) regardless. Connect the VPN and do a tracert, you should see this.
Once the packet is sent over the tunnel the reply however, will likely not be sent to the client machine but rather the corporate network's default gateway. Therefore, in my opinion you would need the route on that machine pointing to the remote client:
route add 10.0.1.210 mask 255.255.255.255 <corporate VPN gateway>
However, that is just an opinion, and if it were to work, I don't see as terribly useful unless all clients have a static IP, and there is a route for each client.
Connect to VPN, then post result of
c:\>ipconfig
c:\>route print
c:\>ipconfig
c:\>route print
ASKER
As requested...
[IPCONFIG]
Windows IP Configuration
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.1.150
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.1.1
PPP adapter MTC VPN:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.1.210
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.0.1.210
[ROUTE PRINT]
==========================
Interface List
0x1 ..........................
0x2 ...00 0d 9d 46 08 44 ...... National Semiconductor Corp. DP83815/816 10/100
MacPhyter PCI Adapter - Packet Scheduler Miniport
0x80004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.1.1 10.0.1.150 21
0.0.0.0 0.0.0.0 10.0.1.210 10.0.1.210 1
10.0.1.0 255.255.255.0 10.0.1.150 10.0.1.150 20
10.0.1.150 255.255.255.255 127.0.0.1 127.0.0.1 20
10.0.1.210 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.1.150 10.0.1.150 20
10.255.255.255 255.255.255.255 10.0.1.210 10.0.1.210 50
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
(public ip of remote host) 255.255.255.255 10.0.1.1 10.0.1.150 20
224.0.0.0 240.0.0.0 10.0.1.150 10.0.1.150 20
224.0.0.0 240.0.0.0 10.0.1.210 10.0.1.210 1
255.255.255.255 255.255.255.255 10.0.1.150 10.0.1.150 1
255.255.255.255 255.255.255.255 10.0.1.210 10.0.1.210 1
Default Gateway: 10.0.1.210
==========================
Persistent Routes:
None
[IPCONFIG]
Windows IP Configuration
Ethernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.1.150
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.1.1
PPP adapter MTC VPN:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.1.210
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.0.1.210
[ROUTE PRINT]
==========================
Interface List
0x1 ..........................
0x2 ...00 0d 9d 46 08 44 ...... National Semiconductor Corp. DP83815/816 10/100
MacPhyter PCI Adapter - Packet Scheduler Miniport
0x80004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.1.1 10.0.1.150 21
0.0.0.0 0.0.0.0 10.0.1.210 10.0.1.210 1
10.0.1.0 255.255.255.0 10.0.1.150 10.0.1.150 20
10.0.1.150 255.255.255.255 127.0.0.1 127.0.0.1 20
10.0.1.210 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.1.150 10.0.1.150 20
10.255.255.255 255.255.255.255 10.0.1.210 10.0.1.210 50
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
(public ip of remote host) 255.255.255.255 10.0.1.1 10.0.1.150 20
224.0.0.0 240.0.0.0 10.0.1.150 10.0.1.150 20
224.0.0.0 240.0.0.0 10.0.1.210 10.0.1.210 1
255.255.255.255 255.255.255.255 10.0.1.150 10.0.1.150 1
255.255.255.255 255.255.255.255 10.0.1.210 10.0.1.210 1
Default Gateway: 10.0.1.210
==========================
Persistent Routes:
None
You should be able to add:
C:\>route add 10.0.1.0 mask 255.255.255.0 10.0.1.210 metric 1
OR:
C:\>route add 10.0.1.6 mask 255.255.255.255 10.0.1.210
C:\>route add 10.0.1.0 mask 255.255.255.0 10.0.1.210 metric 1
OR:
C:\>route add 10.0.1.6 mask 255.255.255.255 10.0.1.210
ASKER
Irmoore,
Neither command works after the vpn is connected. The error is:
"The route addition failed: The parameter is incorrect."
I can, however, add those routes before the vpn is connected, then establish the vpn, but I am still unable to communicate with the remote network.
Any other ideas?
Neither command works after the vpn is connected. The error is:
"The route addition failed: The parameter is incorrect."
I can, however, add those routes before the vpn is connected, then establish the vpn, but I am still unable to communicate with the remote network.
Any other ideas?
It was a shot in the dark anyway . . .
I was following a logical path of what you thought you had read would work with a route statement. Obviously it doesn't work.
I'm out of ideas.
I was following a logical path of what you thought you had read would work with a route statement. Obviously it doesn't work.
I'm out of ideas.
Interesting, playing with a PPTP connection and route print here, the "route add 10.0.1.0 mask 255.255.255.0 10.0.1.210" is automatically applied when you un-check "use remote gateway", however, of course if the subnets were the same you wouldn't be able to connect to anything remotely.
As mentioned earlier., the only real solution is to change the subnet at one site, preferably the VPN server end.
As mentioned earlier., the only real solution is to change the subnet at one site, preferably the VPN server end.
ASKER
Thanks for the suggestions everyone.
Indeed the last proposed solutions works. Thank you, RobWill.
The solution is to uncheck "Use default gateway on remote network" in Connection properties -> Network -> TCP/IP -> Advanced.
When that option is unchecked consequences are:
- computers in local network aren't reachable, instead computers on other side of VPN connection are reachable.
- all other network traffic to Internet is not routed via VPN connection, i.e. the old real gateway is used http://whatismyip.com shows the IP address supplied by your ISP.
When that option is checked consequences are:
- computers in local network are reachable, but computers on the other side of VPN connection are not reachable.
- all other network traffic to Internet is routed via VPN connection. http://whatismyip.com shows the destination IP address of VPN connection.
The solution is to uncheck "Use default gateway on remote network" in Connection properties -> Network -> TCP/IP -> Advanced.
When that option is unchecked consequences are:
- computers in local network aren't reachable, instead computers on other side of VPN connection are reachable.
- all other network traffic to Internet is not routed via VPN connection, i.e. the old real gateway is used http://whatismyip.com shows the IP address supplied by your ISP.
When that option is checked consequences are:
- computers in local network are reachable, but computers on the other side of VPN connection are not reachable.
- all other network traffic to Internet is routed via VPN connection. http://whatismyip.com shows the destination IP address of VPN connection.
Only solution that would work would be to add another device on the local side to change the ip address to be different from the remote network.
One way of doing so is to add a router between the connection.
One way of doing so is to add a router between the connection.
You can browse around the network if you use the FQDN when you look up your machine resources though. I have done this several times when I have had to work on clients with the same subnet as us. That was from a workstation dialed into a client network.
Casey
Casey
Some devices/software support VPN-Bridging (this is what you want) most devices/software support VPN-Routing
FOR TCPIP
Bridging = connecting two networks as if they are on the same subnet
Routing = connecting two networks that are on different subnets
Does this help?
FOR TCPIP
Bridging = connecting two networks as if they are on the same subnet
Routing = connecting two networks that are on different subnets
Does this help?
Short answer is "No. You must have seperate address space for each network." Imaging a telephone system where sometimes different people had the same number. What a mess.
Hope this helps,
Alan