RickEpnet
asked on
VPN with 2 Network with the same IP address range.
Is there a way to have a VPN between two networks that have the same IP address scheme?
Example
Network A is 192.168.1.x and Network B is 192.168.1.x
We have a SONICWALL TZ170 3.X Enhanced on one end and a Fortigate 50B on the other end.
Example
Network A is 192.168.1.x and Network B is 192.168.1.x
We have a SONICWALL TZ170 3.X Enhanced on one end and a Fortigate 50B on the other end.
ASKER
What do you mean or how do you do that?
You do that via subnetting, so the subnet will be 255.255.255.168 this will give you two networks. for more details see
CIDR notation Network Mask Available Networks Available Hosts per network Total usable hosts
/24 255.255.255.0 1 254 254
/25 255.255.255.128 2 126 252
/26 255.255.255.192 4 62 248
/27 255.255.255.224 8 30 240
/28 255.255.255.240 16 14 224
/29 255.255.255.248 32 6 192
/30 255.255.255.252 64 2 128
/31 255.255.255.254 128 2 * 256
For more details see http://en.wikipedia.org/wiki/Subnetwork
Also there are a lot of information on the internet.
CIDR notation Network Mask Available Networks Available Hosts per network Total usable hosts
/24 255.255.255.0 1 254 254
/25 255.255.255.128 2 126 252
/26 255.255.255.192 4 62 248
/27 255.255.255.224 8 30 240
/28 255.255.255.240 16 14 224
/29 255.255.255.248 32 6 192
/30 255.255.255.252 64 2 128
/31 255.255.255.254 128 2 * 256
For more details see http://en.wikipedia.org/wiki/Subnetwork
Also there are a lot of information on the internet.
Well, you will have one problem with doing this. What happens when two devices on either subnet have the same IP address but a different mask? Which way should traffic then be routed?
I am not sure how many devicies you have on either network but this will pose a problem if duplicate IP's appear with different subnets.
The bottom line would be to change either network's IP range.
I am not sure how many devicies you have on either network but this will pose a problem if duplicate IP's appear with different subnets.
The bottom line would be to change either network's IP range.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You could use something like L2TPv3 over IPSEC or GRE over IPSEC if either is supported by both VPN routers.
Double nat seems to be a popular choice. There have been quite a few questions about that topic on EE so have another look for the specific vendor you need.
Personally I have done this on check point and the theory applies to most vendors.
HTH
Personally I have done this on check point and the theory applies to most vendors.
HTH
Yes, its possible by subnetting. If you do that, what happens when your network grows? Its not recommended nor best practice to use the same IP scheme in both locations.
I would recommend: 192.168.1.0/24 at location#1, and 192.168.2.0/24 at location#2
I would recommend: 192.168.1.0/24 at location#1, and 192.168.2.0/24 at location#2
ASKER
theonlyallan yes that is exactly what I would have done if I could have. That was not an option.
Try double nat.
As per decoleur above, NAT each "home" net behind another unique networks when tlaking to the otehr "home" net.
example
If you have 2 nets of 192.168.1.0/24 at each remote site and you want to have a VPN betwent hem, you will need to change the address of both remote nets to make sure there are no routing or vpn issues.
The theory is that you create 2 new nets, 1 for each site and then nat the traffoc destined for the other remote site, BEHIND the new unique net. You can do this at each end and thus have unique addresses at each end to bring up the VPN.
So we have site 1 and site 2
Both sites have the remote net of 192.168.1.0/24
Site 1 will have a nat network of 10.1.1.0/24 and site 2 will have a nat network 10.2.2.0/24
When site 1 wants to talk to the rmeote net on site 2, it will nat its own network behind 10.1.1.0/24 and have the destination address of 10.2.2.0/24. And vice versa.
As long as you have the full network natted or just a single address to nat behind, it will work.
I would love to be more specific with examples, but I am not at work at the moment and the juniper KB seems to be down hehe.
HTH
As per decoleur above, NAT each "home" net behind another unique networks when tlaking to the otehr "home" net.
example
If you have 2 nets of 192.168.1.0/24 at each remote site and you want to have a VPN betwent hem, you will need to change the address of both remote nets to make sure there are no routing or vpn issues.
The theory is that you create 2 new nets, 1 for each site and then nat the traffoc destined for the other remote site, BEHIND the new unique net. You can do this at each end and thus have unique addresses at each end to bring up the VPN.
So we have site 1 and site 2
Both sites have the remote net of 192.168.1.0/24
Site 1 will have a nat network of 10.1.1.0/24 and site 2 will have a nat network 10.2.2.0/24
When site 1 wants to talk to the rmeote net on site 2, it will nat its own network behind 10.1.1.0/24 and have the destination address of 10.2.2.0/24. And vice versa.
As long as you have the full network natted or just a single address to nat behind, it will work.
I would love to be more specific with examples, but I am not at work at the moment and the juniper KB seems to be down hehe.
HTH
I can think of only one way to do that which is segmenting the network.