VPN with 2 Network with the same IP address range.

Is there a way to have a VPN between two networks that have the same IP address scheme?
Example
Network A is 192.168.1.x and Network B is 192.168.1.x

We have a SONICWALL TZ170 3.X Enhanced on one end and a Fortigate 50B on the other end.
LVL 14
RickEpnetAsked:
Who is Participating?
 
decoleurCommented:
actually this is done all of the time when two companies need to communicate but share the same ip space. the trick is to use NAT to translate the hosts of interest on the other network to a unique ip space to distinguish local traffic from traffic that needs to be routed to another network.

here is an example of doing this with cisco routers http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Ftech%2Ftk648%2Ftk361%2Ftechnologies_configuration_example09186a0080093f30.shtml&pos=1&strqueryid=&websessionid=BPqn2e5BiUXlx1rIm1VfNg0  and firewalls https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1043610, most of them have feature parity so i am pretty sure that you will be able to find a solution for this.

hope this helps,

-t
0
 
imadimadCommented:
Hi
I can think of only one way to do that which is segmenting the network.
0
 
RickEpnetAuthor Commented:
What do you mean or how do you do that?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
imadimadCommented:
You do that via subnetting, so the subnet will be 255.255.255.168 this will give you two networks. for more details see

CIDR notation Network Mask Available Networks Available Hosts per network Total usable hosts
/24 255.255.255.0 1 254 254
/25 255.255.255.128 2 126 252
/26 255.255.255.192 4 62 248
/27 255.255.255.224 8 30 240
/28 255.255.255.240 16 14 224
/29 255.255.255.248 32 6 192
/30 255.255.255.252 64 2 128
/31 255.255.255.254 128 2 * 256
For more details see http://en.wikipedia.org/wiki/Subnetwork
Also there are a lot of information on the internet.
0
 
nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Well, you will have one problem with doing this. What happens when two devices on either subnet have the same IP address but a different mask? Which way should traffic then be routed?

I am not sure how many devicies you have on either network but this will pose a problem if duplicate IP's appear with different subnets.

The bottom line would be to change either network's IP range.
0
 
Rick_O_ShayCommented:
You could use something like L2TPv3 over IPSEC or GRE over IPSEC if either is supported by both VPN routers.
0
 
deimarkCommented:
Double nat seems to be a popular choice. There have been quite a few questions about that topic on EE so have another look for the specific vendor you need.

Personally I have done this on check point and the theory applies to most vendors.

HTH
0
 
theonlyallanCommented:
Yes, its possible by subnetting.  If you do that, what happens when your network grows? Its not recommended nor best practice to use the same IP scheme in both locations.

I would recommend: 192.168.1.0/24 at location#1, and 192.168.2.0/24 at location#2
0
 
RickEpnetAuthor Commented:
theonlyallan yes that is exactly what I would have done if I could have. That was not an option.
0
 
deimarkCommented:
Try double nat.

As per decoleur above, NAT each "home" net behind another unique networks when tlaking to the otehr "home" net.

example

If you have 2 nets of 192.168.1.0/24 at each remote site and you want to have a VPN betwent hem, you will need to change the address of both remote nets to make sure there are no routing or vpn issues.

The theory is that you create 2 new nets, 1 for each site and then nat the traffoc destined for the other remote site, BEHIND the new unique net.  You can do this at each end and thus have unique addresses at each end to bring up the VPN.

So we have site 1 and site 2

Both sites have the remote net of 192.168.1.0/24
Site 1 will have a nat network of 10.1.1.0/24 and site 2 will have a nat network 10.2.2.0/24

When site 1 wants to talk to the rmeote net on site 2, it will nat its own network behind 10.1.1.0/24 and have the destination address of 10.2.2.0/24.  And vice versa.

As long as you have the full network natted or just a single address to nat behind, it will work.

I would love to be more specific with examples, but I am not at work at the moment and the juniper KB seems to be down hehe.

HTH
0
 
deimarkCommented:
Aha, found it at last

http://kb.juniper.net/KB5346

Has more info bud
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.